Configure L2 VPN service to stretch multiple logical networks across geographical sites

By | September 1, 2018

In this post, we will cover following topics of Objective 3.2 of VCAP6-NV Deploy Exam

Objective 3.2 – Configure and Manage Logical Virtual Private Networks (VPNs)

  • Configure IPSec VPN service to enable site to site communication
  • Configure SSL VPN service to allow remote users to access private networks
  • Configure L2 VPN service to stretch multiple logical networks across geographical sites

Configure L2 VPN service to stretch multiple logical networks across geographical sites

The NSX L2 VPN service extends Layer 2 connectivity between remote sites.

The L2 VPN is a point to point service that allows a Layer 2 subnet to be stretched between sites over a Layer 3 IP network encrypted inside a SSL VPN tunnel.

The subnets that are configured to traverse L2 VPN share the same Layer 2 address space.

You can configure VLAN to VLAN, VLAN to VXLAN (and vice-versa) or VXLAN to VXLAN between sites.

One site is configured as the L2 VPN Server (destination) and the other as the L2 VPN Client (initiates the connection).

The L2 VPN service can only be configured on the NSX Edge Services Gateway (ESG).

Some use cases for this service might include:

  • Migrating VMs to secondary data centre.
  • Migrating to a service provider cloud (VMware vCloud Director).
  • Cloud bursting where on-premises private cloud bursts into a public cloud for on-demand capacity spikes.
  • There will be more.

You can configure the NSX L2 VPN service between two sites that are both NSX enabled (VXLAN to VXLAN), or from one NSX enabled site to a non-NSX enabled site (VXLAN to VLAN).



Extend VXLAN across Multiple Sites using L2 VPN


Extend non-NSX site with VLANs to NSX Site with VXLANs

Notice above when extending from a non-NSX site (i.e. you have VLANs and no NSX deployment) the deployment of the NSX Standalone Edge is required.The Standalone Edge is an OVF file that needs to be downloaded and deployed. Suggest reading and deploying this for practice as they might ask this in the exam. I am not covering the deploy and config in this blog of the Standalone ESG.

Some new concepts to understand:

Trunk Port: From NSX 6.1 the Trunk Port was introduced increasing the scalability of the virtual networking. One use-case that can take advantage of this feature is the L2 VPN. With a Trunk Port you can stretch multiple subnets through what’s called a ‘sub-interface‘ which is bound to an ESG vNIC. A vNIC on the ESG can have multiple sub-interfaces and each sub-interface carries a VLAN or VXLAN.


Trunk Port configured with sub-interfaces

Egress Optimisation Gateway Address: I cannot find much detailed VMware info on this, but here is my take. In the above pictures there are two remote sites, each site has its own ESG and each ESG has its own route to the Internet.  We have a stretched L2 subnet. The VMs on this subnet all have the same gateway address (assume: When you configure the L2 VPN server and client, one of the bits of info it requires is the Egress Optimisation Gateway address/s. This allows traffic to be locally routed or blocked from traversing across the L2 VPN link. the other nice thing is if you vMotion a VM from one site to the other no guest OS network changes are required, the default gateway for the VMs remains the same. *Please correct me if this is not 100% correct!

Also read this best practice information with regards to L2VPN Options to Mitigate Looping.  In my nested lab I created a routing loop and it took a few hours to resolve after my entire vSphere/vCenter environment melted. Good learning though to resolve it.

The below picture is from the VMware Hands-On-Labs which I have edited to suit a VXLAN to VXLAN L2 VPN configuration.This is the environment in my lab and it gives you an idea of what my configuration looks like. Both sites are NSX enabled, there is an ESG at each site, and all networks are VXLAN. I am using a Distributed Logical Router (DLR) to simulate external routing. I will walk through the L2 VPN configuration. I will be configuring the ESGs for L2 VPN and Sub-Interfaces.


Lab Configuration

I found the NSX documentation to be lacking when it comes to L2 VPN VXLAN to VXLAN. You need to remove the Web-Tier network logical interface (LIF) from the DLR. The sub-interface is the glue between the web-tier logical network and the ESG.

Credit goes to the following two blogs that had excellent diagrams to help me figure this out: Virtualization Gains and

From here on I will refer to Site A which is the left-side with the ESG called L2VPN-Server which is the destination. Site B which is the right-side with the ESG calledL2VPN-Client which is the client.

L2 VPN Server configuration – SiteA

Create Trunk Port and Sub-interfaces on L2VPN-Server

First off I need to create a Trunk Port and Sub-interfaces. Before doing this I created a new Distributed Port Group and called it L2VPN_SiteA_PG. I created this on my Compute vDS.


I can now proceed to create the Trunk and sub-interfaces. (VMware documentation here)

Log into the vSphere Web Client.

Click Networking and Security, then NSX Edges.

Double-click the ESG that will be configured as the L2 VPN Server for SiteA, in my case this is L2VPN-Server.

Click Interface, select a free interface (in my case vNIC2) and then select Edit (pencil icon).

Change Type to Trunk.

Change Connected To to the port group that was created (in my case  L2VPN_SiteA_PG).


Click the green + sign to Add a Sub-interface.

Enter a Name.

Enter a Tunnel ID, a number from 1 to 4093. The Tunnel ID is used to connect the stretched networks and MUST BE THE SAME ON SITE A and SITE B.

Change the Backing Type. I have selected Network. As per the VMware documentation:


For Network, click Select and add the logical switch. As per the lab configuration for Site A this will be: Web-Tier-Network-6051.

Under Configure Subnets, click the green + sign to Add an IP Address. For the lab configuration this will be


You can now see my Trunk configured.


From the Web-01a VM at Site A I can now ping the sub-interface address the ESG. Nice! The logical network is directly connected to the ESG.


Configure SSL Certificate on L2VPN-Server

Should you require a CA signed or self-signed certificate blog 8 has the process for creating/importing to the Edge. By default the L2 VPN will utilise a System Generated Certificate.

Configure the L2 VPN Server on L2VPN-Server

This configures the Destination side of the L2 VPN. The Client connects to this endpoint.

Double-click the ESG that will be configured as the L2 VPN Server for SiteA, in my case this is L2VPN-Server.

Change the L2VPN Mode to: Server

Under Global Configuration Details click Change.

Select your External Interface, Port and Encryption. Note the IP address on the Listener IP, this is required on the client ESG to connect.

Under Certificate Details either use a System Generated Certificate or select the Self-Signed, or add a CA signed certificate. 


Under Site Configuration Details, click the green + sign to Add a Peer Site. The username and password entered here are required on the client ESG to connect.


Make sure you click Publish Changes to apply the configuration.


Enable the L2VPN Service. Click the Enable Button. Click on Publish Changes.


Site A is complete. Now need to configure SiteB Edge Services Gateway as a L2 VPN Client.


L2 VPN Client configuration – SiteB

I select and double-click my Client Edge Services Gateway. L2VPN-Client

Create Trunk Port and Sub-interfaces on L2VPN-Client

Create a port group on the vDS called: L2VPN_SiteB_PG


Add the interface and sub-interfaces


Configure SSL Certificate on L2VPN-Client

Should you require a CA signed or self-signed certificate blog 8 has the process for creating/importing to the Edge. By default the L2 VPN will utilise a System Generated Certificate.

Configure the VPN Client on L2VPN-Client

Click on Manage, then L2 VPN.

Change the L2VPN Mode to Client.

Under Global Configuration Details, click Change.

Enter the Remote VPN Server Address. In my case: This is the Listener IP on the destination ESG.

Select the same Port and Encryption Type as configured on the destination VPN Server.

Select the SiteB sub-interface.

Enter the Egress Optimisation IP of the subnet. In this case

Enter the username and password configured on the destination VPN Server.


Make sure you click Publish Changes to apply the configuration.

Enable the VPN Service, and click Publish Changes.

Click the Tunnel Status is UP.


If I switch back to the destination VPN Server and click Show L2VPN Statistics, I can see traffic has flowed across the VPN.


If I jump on the console of the Web-01a and run a ping to Web-02b, the ping is successful. I can also ping from other side.

I can now vMotion migrate over this network from SiteA to SiteB.


That’s all for this post.  I recommend you to read the below reference documents.

In Next post we will cover: Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

I hope this has been informative and thank you for reading! Be social and share it on social media, if you feel worth sharing it…!!!


I am Rahul Sharma, I am currently working as Subject Matter Expert for SDDC and Cloud Infrastructure Services, Mainly on VMware Virtualization Platform.

I have 9 Year’s of IT experience and have expertise in Designing and Deploying of VMware vSphere, vSAN, vCloud Director, vRealize Automation, SRM, NSX  and modern data center technologies like vBlock, Cisco UCS, DELL, HPE C7000, HPE Synergy HCI etc.

I am vExpert, VCIX6-DCV, Dual VCP – DCV & NV, MSCE – Cloud, CCNA, ITIL v3 Certified.

Leave a Reply

Your email address will not be published. Required fields are marked *