For VMC you can create one VPN Layer 2.
There are 3 ways to configure L2 by deploying appropriate appliances:
- Deploy autonomous edge
- Deploy HCX L2 extensions
- Deploy standalone edge
Autonomous edge:
It is quite easy when you are using the NSX Autonomous edge. There are several well described steps how to deploy and configure (using web interface) this appliance.
From VPN -> layer 2 blade you can find link to VMware autonomous edge appliances:
Downloaded image should have the nsx-autonomous-edge-ovf-XXXX name.
Compatibility can be found:
Good example on how to install and configure autonomous edge you can find here: https://davidwzhang.com/2020/02/24/setting-up-l2vpn-in-vmc-on-aws/
Benefits:
- Easy to deploy and configure
- Fast start after failure
- Stable
- No need to have distributed switches in on-prem environment
Disadvantages:
- Limitation to 8 extended network
- Just one L2VPN can be set up
HCX L2 extension:
Similarly to the above, HCX can be deployed and configured in a quite straightforward way. You need to fulfill all the requirements described here:
- https://docs.vmware.com/en/VMware-HCX/4.3/hcx-user-guide/GUID-D64901F4-6AB4-4820-9303-27927648A34D.html
- https://docs.vmware.com/en/VMware-HCX/4.3/hcx-user-guide/GUID-8128EB85-4E3F-4E0C-A32C-4F9B15DACC6D.html — L2 minimum requirements
Benefits:
- Advanced network technologies used by that appliance (to optimize network traffic)
- Nice boundled in HCX as part of implementation
- Stable
- Can be restarted in a few second on another ESXi node in case of node failure
- Many appliances can be deployed (on both sides – on-prem and in VMC)
Disadvantages:
- Distributed switches are needed
- HCX appliances need some resources (usually it is not an issue, but need to be calculated before implementation)
NSX L2 edge:
Search for the newest NSX-l2t-client-large image and download it.
Deploy the OVF template as usual:
Pay attention to IP address (should be the same as the uplink interface and “Remote Private IP” in console.cloud.vmware.com VPN blade.
Peer Address and peer code should be also readed from the VPN blade (and configuration file).
Be sure that the values are set correctly.
There is another option you can set: “Enable TCP Loose settings”. This option is important if you want to keep your connection after the system has been migrated to VMC.
Also set HA Index to 0 (or other appropriate value).
After deployment you can login to the appliance and start ssh by:
Above VTI is one configured during appliance installation (and configuration wizard).
After a while (couple of minutes) the tunnel should be in up state:
Also from appliance the tunnel should be visible:
To add an additional vlan:segment pair you can add in the following way:
command : sub-interface pairs VLAN:segment.
Following command can be useful:
enable / conf tshow sub-interface- Configure set of pairs:
for i in {100..115}; do echo sub-interface pairs $i:$i; done - Remove sub-interface:
no sub-interface pairs vlan:tunnel_id
Benefits:
- Easy to deploy and configure
- Fast start after failure
- Stable
- No need to have distributed switches in on-prem environment
Disadvantages:
- Not as easy to configure as autonomous edge
- Just one L2VPN can be set up
- Potential problem with support (needs to be verified if it is still supported by VMware)
No Comments