NSX – Extending Segments with L2VPN
The L2VPN functionality of VMware NSX can be used to extend your software defined network segments into remote datacenters or your cloud provider tenancy. This provides an excellent solution for migrating your workloads without requiring IP address changes.
This post will go through a sample configuration to configure an L2VPN and extend an NSX Overlay segment from one Holodeck site (A) to a secondary Holodeck site (A2).
Configuration Overview
Steps – Site A (Server):
Configure Route Redistribution for VPN Endpoint IP
Configure IPSEC Service
Configure L2VPN Server
Configure VPN Endpoint IP
Configure L2VPN Session
Steps – Site A2 (Client):
Configure Route Redistribution for VPN Endpoint IP
Configure IPSEC Service
Configure L2VPN Client
Configure L2VPN Session
Segment Extension and Validation:
Confirm Tunnel Established
Extend Segment
Segment Gateway Migration
IP Ranges:
| Holo-Site-A VPN Endpoint | 172.27.255.254/32 |
| Holo-Site-A2 VPN Endpoint | 172.27.255.253/32 |
| L2VPN Tunnel IP Range | 172.27.255.0/29 |
| Holo-Site-A Tunnel IP | 172.27.255.1 |
| Stretched Overlay Segment Subnet | 10.70.0.0/24 |
| Stretched Overlay Segment Gateway | 10.70.0.1 |
| Test VM – Site A | 10.70.0.10 |
| Test VM – Site A2 | 10.70.0.11 |
Site A Configuration
First, we need to confirm we have route-redistribution enabled for IPSec Endpoints at both T1 and T0 routers. This will ensure that the VPN Endpoint IP gets pushed into the routing table and is reachable on the network after it’s configured.
Repeat these steps for both Site A and A2.
Tier 1:
Tier 0:
Note: The above screenshot only shows the enabled redistribution items. If you do not see “IPSec Local Endpoint” then click the “EDIT” button at the top of the screenshot to enable.
Create the IPSec Service
Create the L2VPN Server Service
Now we configure the Site A L2VPN Server Endpoint IP
From my core router I can see that the Endpoint IP is being re-distributed and accessible via the Site-A T0, and is responding to ping:
Configure the L2VPN Session on Site A
Lastly we download the configuration to assist us with the site A2 Client configuration:
Site A2
Repeat the same steps as Site A for IPSEC and L2VPN Services. Ensure you select “L2VPN Client” instead of server at this site.
Create the L2VPN Session. You will need the client config file downloaded from Site A to fill the peer code. Note, this should be kept secure as it contains the pre-shared key.
Click save. This will also add the L2VPN Client IP into the routing table as verified here, accessed via the Site-A2 T0.
This completes the tunnel configuration.
Segment Extension
Browse to the L2 VPN Sessions tab, on both sites we should see status “Success” if the tunnel has been established.
Now we can extend a segment from Site-A to Site-A2
I have an existing segment at Site A that I want to extend to Site A2.
Edit the segment, in the L2 VPN section select the L2VPN session, and enter a VPN Tunnel ID. This ID must match on both ends of the segment to link them together.
Site A
Site A2
Note: The Gateway IP can only be active at a single site, so for A2 ensure that “Gateway Connectivity” is disabled.
Validation
I have a VM on Site A (10.70.0.10) and a VM on Site A2 (10.70.0.11). These VMs can successfully ping each other.
As the gateway for this subnet resides at Site A, a VM at Site-A2 will need to traverse the L2VPN tunnel to reach the gateway at Site-A for any network communication outside the subnet.
Gateway Cutover
Customers typically use L2VPNs on a temporary basis to facilitate migration to a new datacenter or cloud provider. Once all VMs on a network segment have been migrated, you’ll likely want to cut over the gateway IP to the remote site, and bring down the L2VPN.
First we’ll validate the routing.
We see that the subnet route is pointing to the Site-A T0.
Now we’ll disable the gateway connectivity on the segment at Site-A, and enable the gateway connectivity at Site-A2.
Now that the gateway has been cutover, if we review the routing again we’ll see that the subnet is routed towards the Site-A2 T0.
