There are no specific constraints to configure bridging on a bare metal edge. However, if you are planning to run a bridge on an NSX Edge VM, use this section to understand the specific configuration to perform in the vSphere infrastructure.

As an example, our scenario includes two virtual machines, VM1 and VM2, on transport node ESXi 1 attached to an overlay segment S. The VMs can communicate at layer 2 with the physical host on the right side of the diagram thanks to a bridge instantiated on the edge VM running on ESXi host 2. The TEP (tunnel end point) on ESXi 1 encapsulates the traffic from VM1/VM2 and forwards it to the TEP of the edge VM. Then the bridge unencapsulates the traffic and sends it tagged with VLAN ID 10 on its VLAN uplink. Then the traffic gets switched to the physical host.
Figure 1. Edge VM Bridging
Edge VM connectivity using layer 2 bridging using tunnel end points across two host ESXs.

Option 1: Edge VM is on a VSS portgroup

This option is for when the Edge VM is connected to a VSS (vSphere Standard Switch). You must enable promiscuous mode and forged transmit.

  • Set promiscuous mode on the portgroup.
  • Allow forged transmit on the portgroup.
  • Run the following command to enable reverse filter on the ESXi host where the Edge VM is running:
    esxcli system settings advanced set -o /Net/ReversePathFwdCheckPromisc -i 1
    Then disable and enable promiscuous mode on the portgroup with the following steps:
    • Edit the portgroup's settings.
    • Disable promiscuous mode and save the settings.
    • Edit the portgroup's settings again.
    • Enable promiscuous mode and save the settings.
  • Do not have other port groups in promiscuous mode on the same host sharing the same set of VLANs.
  • Avoid running other VMs attached to the portgroup in promiscuous mode on the same host, as the traffic gets replicated to all those VMs and affect performance.

Option 2a: Edge VM is on a VDS 6.6.0 (or later) portgroup

This option is for when the Edge VM is connected to a VDS (vSphere Distributed Switch). You must be running ESXi 6.7 or later, and VDS 6.6.0 or later.

  • Enable MAC learning with the option “allow unicast flooding” on the distributed portgroup.

    Starting with vSphere 8.0, you can enable the Mac Learning UI option in the distributed portgroup configuration. For previous releases, you need to use the VIM API DVSMacLearningPolicy and setting allowUnicastFlooding to true.

Option 2b: Edge VM is on a VDS 6.5.0 (or later) portgroup

This option is for when the Edge VM is connected to a VDS. You enable promiscuous mode and forged transmit.

  • Set promiscuous mode on the distributed portgroup.
  • Allow forged transmit on the distributed portgroup.
  • Run the following command to enable reverse filter on the ESXi host where the Edge VM is running:
    esxcli system settings advanced set -o /Net/ReversePathFwdCheckPromisc -i 1
    Then disable and enable promiscuous mode on the distributed portgroup with the following steps:
    • Edit the distributed portgroup's settings.
    • Disable promiscuous mode and save the settings.
    • Edit the distributed portgroup's settings again.
    • Enable promiscuous mode and save the settings.
  • Do not have other distributed port groups in promiscuous mode on the same host sharing the same set of VLANs.
  • Avoid running other VMs attached to the distributed portgroup in promiscuous mode on the same host, as the traffic gets replicated to all those VMs and affects performance.

Option 3: Edge VM is connected to an NSX segment

If the Edge is deployed on a host with NSX installed, it can connect to a VLAN segment and use MAC Learning, which is the preferred configuration option.

  • Create a new MAC Discovery segment profile by navigating to Networking > Segments > Profiles.
    • Click Add Segment Profile > MAC Discovery.
    • Enable MAC Learning. This will also enable Unknown Unicast Flooding. Keep the flooding option enabled for bridging to work in all scenarios.
    • Click Save.
  • Edit the segment used by the Edge by navigating to Networking > Segments.
    • Click the menu icon (3 dots) and select Edit.
    • Expand the Segment Profiles section, then set the MAC Discovery profile to the one created above.
Note: If you bridge a segment to VLAN 0 and you use a distributed router on this segment, the gateway might not route VLAN 0 traffic when using MAC learning. In this scenario, avoid option 3. Avoid option 2a if the edge VM is attached to the distributed portgroup of a VDS prepared for NSX for vSphere.