You can use L2 VPN to extend your Layer 2 networks to a site that is not managed by NSX. An autonomous NSX Edge, also referred to as NSX Edge for VMware ESXi, can be deployed on the site, as an L2 VPN client. The autonomous for VMware NSX Edge is simple to deploy, easily programmable, and provides high-performance VPN. The autonomous NSX Edge is deployed using an OVF file on a host that is not managed by NSX. You can also enable high availability (HA) for VPN redundancy by deploying primary and secondary autonomous Edge L2 VPN clients.
Prerequisites
- Create a port group and bind it to the vSwitch on your host. Ensure that this port group accepts promiscuous mode and forged transmits from the port group's security settings. For instructions, see Configure an NSX Edge Uplink Port in ESXi.
- Create a port group for your internal L2 extension port.
- Obtain the IP addresses for the local IP and remote IP to use with the L2 VPN client session you are adding.
- Obtain the peer code that was generated during the L2 VPN server configuration.
Procedure
- Using vSphere Web Client, log in to the VMware vCenter that manages the non-NSX environment.
- Select Hosts and Clusters and expand clusters to show the available hosts.
- Right-click the host where you want to install the autonomous NSX Edge and select Deploy OVF Template.
- Enter the URL to download, https://support.broadcom.com/group/ecx/downloads, select the version, and click Download Now to install the NSX Edge for VMware ESXi OVA file from the Internet or click Browse to locate the folder on your computer that contains the autonomous NSX Edge for VMware ESXi file and click Next.
This appliance can be used for both autonomous and managed Edges.
- On the Select name and folder page, enter a name for the autonomous NSX Edge and select the folder or data center where you want to deploy. Then click Next.
- On the Select a compute resource page, select the destination of the compute resource.
- On the OVF Template Details page, review the template details and click Next.
- On the Configuration page, select a deployment configuration option.
- On the Select storage page, select the location to store the files for the configuration and disk files.
- On the Select networks page, configure the networks that the deployed template must use. Select the port group you created for the uplink interface, the port group that you created for the L2 extension port, and enter an HA interface. Click Next.
- On the Customize Template page, enter the following values and click Next.
- Type and retype the CLI admin password.
- Type and retype the CLI enable password.
- Type and retype the CLI root password.
- Enter the IPv4 address for the Management Network.
- Enable the option to deploy an autonomous Edge.
- Enter the External Port details for VLAN ID, exit interface, IP address, and IP prefix length such that the exit interface maps to the Network with the port group of your uplink interface.
If the exit interface is connected to a trunk port group, specify a VLAN ID. For example, 20,eth2,192.168.5.1,24. You can also configure your port group with a VLAN ID and use VLAN 0 for the External Port.
- (Optional) To configure High Availability, enter the HA Port details where the exit interface maps to the appropriate HA Network.
- (Optional) When deploying an autonomous NSX Edge as a secondary node for HA, select Deploy this autonomous-edge as a secondary node.
Use the same OVF file as the primary node and enter the primary node's IP address, user name, password, and thumbprint.
To retrieve the thumbprint of the primary node, log in to the primary node and run the following command:
get certificate api thumbprint
Ensure that the VTEP IP addresses of the primary and secondary nodes are in the same subnet and that they connect to the same port group. When you complete the deployment and start the secondary-edge, it connects to the primary node to form an edge-cluster .
- On the Ready to complete page, review the autonomous Edge settings and click Finish.
Note: If there are errors during the deployment, a message of the day is displayed on the CLI. You can also use an API call to check for errors:
GET https://<nsx-mgr>/api/v1/node/status
The errors are categorized as soft errors and hard errors. Use API calls to resolve the soft errors as required. You can clear the message of day using an API call:
POST /api/v1/node/status?action=clear_bootup_error
- Power on the autonomous NSX Edge appliance using the vSphere Web Client. Open the console of the NSX Edge node to track the boot process using Launch Remote Console.
- After the NSX Edge starts, log in to the Edge node using the console or SSH (provided SSH is enabled at the time of install) with admin credentials.
Note: After the
NSX Edge node starts, if you do not log in with admin credentials for the first time, the data plane service does not automatically start on the
NSX Edge node.
- Select and enter the following values:
- Click Save.
- Select to create an L2 extension port.
- Enter a name, a VLAN, and select an exit interface.
- Click Save.
- Select and enter the following values:
- Select the L2 VPN session that you created.
- Select the L2 extension port that you created.
- Enter a tunnel ID.
- Click Attach.
You can create additional L2 extension ports and attach them to the session if you need to extend multiple L2 networks.
- Use the browser to log in to the autonomous NSX Edge or use API calls to view the status of the L2VPN session.
Note: If the L2VPN server configuration changes, ensure that you download the peer code again and update the session with the new peer code.