With Layer 2 VPN (L2 VPN), you can extend Layer 2 networks (VNIs or VLANs) across multiple sites on the same broadcast domain. This connection is secured with a route-based IPSec tunnel between the L2 VPN server and the L2 VPN client.

Note: This L2 VPN feature is available only for NSX-T Data Center and does not have any third-party interoperability.

The extended network is a single subnet with a single broadcast domain, so VMs remain on the same subnet when they are moved between sites and their IP addresses do not change. So, enterprises can seamlessly migrate VMs between network sites. The VMs can run on either VNI-based networks or VLAN-based networks. For cloud providers, L2 VPN provides a mechanism to onboard tenants without modifying existing IP addresses used by their workloads and applications.

In addition to supporting data center migration, an on-premise network extended with an L2 VPN is useful for a disaster recovery plan and dynamically engaging off-premise compute resources to meet the increased demand.

Each L2 VPN session has one Generic Routing Encapsulation (GRE) tunnel. Tunnel redundancy is not supported. An L2 VPN session can extend up to 4094 L2 segments.

In NSX-T Data Center, L2 VPN services are supported only on Tier-0 gateways. Segments can be connected to either Tier-0 or Tier-1 gateways and use L2 VPN services.

Starting with NSX-T Data Center 2.5 release, VLAN-based segments can be extended using L2 VPN service on an NSX Edge that is managed in an NSX-T Data Center environment. This support allows the extension of L2 networks from VLAN to VNI, VLAN to VLAN, and VNI to VNI.

Also supported is VLAN trunking using an ESX NSX-managed virtual distributed switch (N-VDS). If the compute and I/O resources allow, VLAN trunking enables one NSX Edge cluster to extend multiple VLAN networks over a single interface.

The L2 VPN service support is provided in the following scenarios.
  • Between an NSX-T Data Center L2 VPN server and an L2 VPN client hosted on an NSX Edge that is managed in an NSX Data Center for vSphere environment. A managed L2 VPN client supports both VLANs and VNIs.
  • Between an NSX-T Data Center L2 VPN server and an L2 VPN client hosted on a standalone or unmanaged NSX Edge. An unmanaged L2 VPN client supports VLANs only.
  • Between an NSX-T Data Center L2 VPN server and an L2 VPN client hosted on an autonomous NSX Edge. An autonomous L2 VPN client supports VLANs only.
  • Beginning with NSX-T Data Center 2.4 release, L2 VPN service support is available between an NSX-T Data Center L2 VPN server and NSX-T Data Center L2 VPN clients. In this scenario, you can extend the logical L2 segments between two on-premises software-defined data centers (SDDCs)