During the meeting with customers, I am asked lots of questions around L2 extension capabilities on VMware cloud on AWS, such as retaining same IP address as production and live migration without business disruption. To address these challenges, VMware offers a very powerful tool – HCX to make both L2 extension and migrations of workloads. It is also provided free of charge when purchasing VMware Cloud on AWS. However, L2 extension with HCX requires Distributed vSwitches and those in turn are only available with the top-level vSphere Enterprise Plus license. Many customers only have the Standard vSphere license and therefore HCX can’t be used for L2 extension. To address licensing concern or just for L2 extension, NSX Autonomous Edge would be the a perfect choice.
So, VMware Cloud on AWS provides two options for extending an on-prem network to the SDDC-HCX Network Extension (NE) and L2VPN (Autonomous edge or if you have NSX-T edge already in your environment it can be leveraged for L2VPN as well). While both solutions provide the same functionality, they are different in several aspects. Following are the quick comparison (based on SDDC M16 released and HCX4.2)
|
Supported Functionalities |
NSX Autonomous Edge |
HCX |
|
Resiliency |
Active/Standby |
vSphere based HA |
|
vSwitch Type |
VSS, DVS |
VDS |
|
Network Type |
VLAN |
VXLAN, VLAN |
|
No of Extended Networks |
14 |
200 |
|
Mgmt. Interface |
GUI |
GUI |
|
VPN Tunnel termination endpoints |
Tier-0 Router on SDDC |
HCX L2C – HCX L2C |
|
Others |
Needs NSX-T license to download |
Mobility Optimized Networking capability |
On this post, I am writing step by step guide to extend the vlan 100 from On-Prem to Vmware Cloud on AWS SDDC (as per diagram below). The L2VPN is based on a L2VPN client and a L2VPN server. The L2VPN Server will be configured on VMConAWS (on NSX Edge T0 Router) while NSX Autonomous Edge will be configured as L2VPN Client on-prem. To simplify the configuration steps, I have divided it into 3 phases. Phase 1- L2VPN server configuration and segment creation on VMware Cloud on AWS SDDC, Phase 2-deployment of Autonomous Edge on-prem and Phase3-configuration of Autonomous Edge and establish L2VPN session.
Prerequisite
UDP 500/4500, ESP & AH (IP Protocol 50/51) must have allowed from the On-premises L2VPN client to the VMC SDDC L2VPN Server
SDDC and Autonomous Edge environment
SDDC version: 1.16
NSX-Edge: 3.1.1.0.0.17483065
Phase 1: Configure L2VPN Server and create segment in VMware Cloud on AWS SDDC end
Step 1: Log in to your VMC Console, go to Networking & Security tab–> Network–>VPN–>Layer2 and click “ADD VPN TUNNEL”.
Step 2: Configure VPN Server
Select Public IP from the local IP Address drop-down(if you have DX connection you have to chose Local IP) and input the public IP of L2VPN’s remote end. On-Prem site, my Autonomous Edge will be behind a NATed device so remote private IP is required. And, click ‘SAVE’
Step 3: To Configure Extended Network Segment, Click on ‘ADD SEGMENT’. In my case I am configuring; Segment Name: VLAN 100-l2vpn and VPN Tunnel ID: 100 (the tunnel ID needs to match the on-prem tunnel ID)
Step 4: ‘DOWNLOAD CONFIG’, it’s peer codes in text file, we need this information later to configure L2VPN peers in Autonomous Edge
Note: Downloaded Config file will be something like this we need to copy and paste highlighted area while we create session on Autonomous Edge.
Phase 2: Deploy NSX-T Autonomous Edge (L2VPN Client)
Note: Autonomous Edge will be deployed with 4 interfaces. To visualize connection of autonomous edge via those interfaces I have drawn the diagram below. Since we need port-groups to connect on those interfaces, and if you don’t have Port-groups on your on-prem VC yet pls create them (I have created following 4 port-groups)
- PG-MGMT (Autonomous Edge mgmt. access)
- PG-External (For external connectivity, this interface will be used to establish l2vpn peer)
- PG-L2VPN-Trunk01 (trunk Port group- Promiscuous mode: Accepted and Forged transmits: Accept)
- PG-HA (If you want to deploy active/standby autonomous edge)
Download Autonomous Edge:
On VMware Cloud on AWS console, navigate Networking & Security ->VPN -> Layer 2 and click on ‘REMOTE AUTONOMOUS EDGE DOWNLOAD’ and it will land you on download page
Step 5: Access your On-Prem VC, right click on cluster and click on ‘Deploy OVF Template’. It will open Deploy OVF Template wizard and select NSX-EDGE ova file and click on ‘NEXT’
Step 6: Supply Virtual Machine’s inventory name, select location and click on ‘NEXT’
Step 7: Select Compute resource and click on ‘NEXT’
Step 8: Choose the size of the Autonomous Edge and click ‘NEXT’
Step 9: Select storage and click on ‘NEXT’
Step 10: Please refer the table below and select the Network then click on ‘NEXT’
|
Edge VM vNIC |
OVF Template |
Edge GUI |
Purpose |
|
Network Adapter1 |
Network 0 |
Management(eth0) |
Management |
|
Network Adapter2 |
Network 1 |
eth1 |
Uplink/External |
|
Network Adapter3 |
Network 2 |
eth2 |
Trunk |
|
Network Adapter4 |
Network 3 |
eth3 |
HA |
Step 11: This step little bit confusing as it needs lots of information. I have taken screenshots of important portion only; rest can be left default. Supply all the require passwords in password section and don’t forget to check Autonomous Edge.
In Network Properties section; supply hostname, ip (subnet, GW) information
In DNS and NTP Section, input DNS and NTP
External Port configuration section is very important, supply the VLAN Id, Interface, NATTED internal ip address, subnetmask (example: 0,eth1,xx.xx.xx.xx,24) and Gateway. As we are not using any internal port and not configuring HA this time so these sections will be blank. Now leave the remaining part default and click on ‘NEXT’
Step 12: Have a final review and click on ‘FINISH’
Phase 3: Configure NSX-T Autonomous Edge (L2VPN Client)
Power on Autonomous Edge VM, it takes sometime for OS/Daemons initialization . Once it done you should able to access web console via mgmt ip address (https://xx.xx.xx.xx). Navigate ‘PORT’ and you should notice external port configuration (this information we had supplied during the OVA deployment)
Step 13 : Now select ‘L2VPN’ and click on ‘ADD SESSION’ and Provide Session Name (ex: L2VPN_Client ), ENABLE Admin status, Local IP (this will be eth1 ip, Internal NATTED IP in my case), Remote ip (It will be global ip on VMware Cloud on AWS end), copy and paste Peer code (this is what we downloaded on Step 4) and ‘SAVE’ it
Step 14: Now, verify that L2VPN session, it should be UP
Step 15: Go to PORT->ADD PORT and Provide the details of the VLAN you want to extend (In my case: Port name-VLAN100-L2ext, VLAN-100 and Interface-2) and ‘SAVE’ it.
Step 16: Go to L2VPN->ATTACH PORT, for the session select ‘L2VPN_Client’, Port (the one we just created to extend) ‘VLAN100_L2ext vlan100’ and tunnel id ‘100’ (to make easier I selected same as vlan id 100, tunnel id should be matched on both sites) and hit on ‘SAVE’ button
Step 17: Verify that VPN tunnel/session has been up on both sites. On Autonomous Edge, navigate ‘L2VPN’ and verify Session has been up. And on VMC console, navigate ‘VPN’ and go to ‘Layer 2’ and make sure that Session status is ‘SUCCESS’
