When you configure Edge-based bridging, after creating an Edge brige profile for an Edge cluster, some additonal configurations are required for an Edge node running in a VM.

Note that bridging a segment twice on the same Edge node is not supported. However, you can bridge two VLANs to the same segment on two different Edge nodes.

There are three configuration options.

Option 1: Edge VM is on a vDS/vSS portgroup

If the Edge VM is deployed on vSphere and connected to vDS (vSphere Distributed Switch) or vSS (vSphere Standard Switch) then promiscuous mode must be enabled.

  • Set promiscuous mode on the portgroup.
  • Allow forged transmit on the portgroup.
  • Run the following command to enable reverse filter on the ESXi host where the Edge VM is running:
    esxcli system settings advanced set -o /Net/ReversePathFwdCheckPromisc -i 1
    Then disable and enable promiscuous mode on the portgroup with the following steps:
    • Edit the portgroup's settings.
    • Disable promiscuous mode and save the settings.
    • Edit the portgroup's settings again.
    • Enable promiscuous mode and save the settings.
  • Do not have other port groups in promiscuous mode on the same host sharing the same set of VLANs.
  • The active and standby Edge VMs should be on different hosts. If they are on the same host the throughput might be reduced because VLAN traffic needs to be forwarded to both VMs in promiscuous mode.

Option 2: Edge VM is connected to an NSX-T segment

If the Edge is deployed on a host with NSX-T installed, it can connect to a VLAN segment and use MAC Learning which is the preferred configuration option.

  • Create a new MAC Discovery segment profile by navigating to Networking > Segments > Segment Profiles.
    • Click Add Segment Profile > MAC Discovery > .
    • Enable MAC Learning.
  • Edit the segment used by the Edge by navigating to Networking > Segments.
    • Click the menu icon (3 dots) and select Edit to edit the segment.
    • In the Segment Profiles section, set the MAC Discovery profile to the one created above.

Option 3: Alternative to Promiscuous Mode

This option is suitable if the Edge node is deployed on vDS or vSS and you wish to avoid enabling promiscuous mode. It is more involved than option 1.

  1. Retrieve the port number for the trunk vNIC that you want to configure as a sink port.
    1. Log in to the vSphere Web Client, and navigate to Home > Networking.
    2. Click the distributed port group to which the NSX Edge trunk interface is connected, and click Ports to view the ports and connected VMs. Note the port number associated with the trunk interface. Use this port number when fetching and updating opaque data.
  2. Retrieve the dvsUuid value for the vSphere Distributed Switch.
    1. Log in to the vCenter Mob UI at https://<vc-ip>/mob .
    2. Click content.
    3. Click the link associated with the rootFolder (for example: group-d1 (Datacenters)).
    4. Click the link associated with the childEntity (for example: datacenter-1).
    5. Click the link associated with the networkFolder (for example: group-n6).
    6. Click the DVS name link for the vSphere distributed switch associated with the NSX Edges (for example: dvs-1 (Mgmt_VDS)).
    7. Copy the value of the uuid string. Use this value for dvsUuid when fetching and updating opaque data.
  3. Verify if opaque data exists for the specified port.
    1. Go to https://<vc-ip>/mob/?moid=DVSManager&vmodl=1.
    2. Click fetchOpaqueDataEx.
    3. In the selectionSet value box paste the following XML input:
      <selectionSet xsi:type="DVPortSelection">
          <dvsUuid>c2 1d 11 50 6a 7c 77 68-e6 ba ce 6a 1d 96 2a 15</dvsUuid> <!-- example dvsUuid -->   
          <portKey>393</portKey>  <!-- example port number -->
      </selectionSet>

      Use the port number and dvsUuid value that you retrieved for the NSX Edge trunk interface.

    4. Set isRuntime to false.
    5. Click Invoke Method. If the result shows values for vim.dvs.OpaqueData.ConfigInfo, then there is already opaque data set, use the edit operation when you set the sink port. If the value for vim.dvs.OpaqueData.ConfigInfo is empty, use the add operation when you set the sink port.
  4. Configure the sink port in the vCenter managed object browser (MOB).
    1. Go to https://<vc-ip>/mob/?moid=DVSManager&vmodl=1.
    2. Click updateOpaqueDataEx.
    3. In the selectionSet value box paste the following XML input. For example,
      <selectionSet xsi:type="DVPortSelection">
          <dvsUuid>c2 1d 11 50 6a 7c 77 68-e6 ba ce 6a 1d 96 2a 15</dvsUuid> <!-- example dvsUuid -->   
          <portKey>393</portKey>  <!-- example port number -->
      </selectionSet>

      Use the dvsUuid value that you retrieved from the vCenter MOB.

    4. On the opaqueDataSpec value box paste one of the following XML inputs.

      Use this input to enable a SINK port if opaque data is not set (operation is set to add):

      <opaqueDataSpec>
          <operation>add</operation> 
          <opaqueData>
              <key>com.vmware.etherswitch.port.extraEthFRP</key>
              <opaqueData xsi:type="vmodl.Binary">AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</opaqueData>
          </opaqueData>
      </opaqueDataSpec>
      
      Use this input to enable a SINK port if opaque data is already set ( operation is set to edit):
      <opaqueDataSpec>
          <operation>edit</operation> 
          <opaqueData>
              <key>com.vmware.etherswitch.port.extraEthFRP</key>
              <opaqueData xsi:type="vmodl.Binary">AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</opaqueData>
          </opaqueData>
      </opaqueDataSpec>
      

      Use this input to disable a SINK port:

      <opaqueDataSpec>
          <operation>edit</operation>
              <opaqueData>
                  <key>com.vmware.etherswitch.port.extraEthFRP</key>
                  <opaqueData xsi:type="vmodl.Binary">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</opaqueData>
          </opaqueData>
      </opaqueDataSpec>
      
    5. Set isRuntime to false.
    6. Click Invoke Method.

What to do next

Associate a segment with the bridge profile. See Create a Layer 2 Bridge-Backed Segment.