How to stretch networks over VMware NSX Edge Bridge

When you are migrating environments, quite often customer doesn’t want to have any downtime for workloads or workloads are critical and have to stay always available. In other cases you might need to have underlay (VLAN) connected workloads and Overlay connected workloads in the same network segment and keep their IPs or you need to migrate workloads from NSX-V to NSX-T. Yeah, there are still some customers running NSX for vSphere (NSX-V).

VMware HCX is the great product which can make it for you but it requires deploy, configure and of course significant resources for all components to run. If you don’t need all the fancy things of HCX and you need only to extend one or several networks, much easier would be to use VMware NSX build-in functionality of L2 Bridge and Layer 2 VPN (L2 VPN).

In this blog I want to show how to configure and use L2 Bridge for two scenarios:

1. VM1 (labtst01) connected to underlay VLAN based vDS/vSS PortGroup (lab-segment3-vlan), VM2 (labtst02) connected to NSX Segment (lab-segment2).
2. VM1 (labtst01) connected to overlay NSX Segment (lab-segment1), VM2 (labtst02) connected to NSX Segment (lab-segment2). There is no routing between segments.

First of all we need to deploy NSX Edge Transport Nodes (ETNs) in remote environment where VM1 running. In my case remote environment uses VMware vSphere and remote vCenter configured as Compute Manager in local NSX, so I can deploy remote ETNs directly from NSX UI. In worse case it’s still possible but you have to download standalone appliance, provision and pre-configure it, then connect to NSX.

In local NSX create two Uplink profiles:

1. “lab-nsxt-etn-private-uplink-profile” (NSX -> System -> Fabric -> Profiles -> Uplink Profiles -> Add Uplink Profile)

2. “lab-nsxt-etn-nic-bridge-uplink-profile”

Create two ETNs (one is the minimum but better to have two for redundancy), NSX -> System -> Fabric -> Nodes -> Add Edge Node

1. lab-etn-001

For ETN used for L2 Bridge you need two NVDS switches, one nvds-edge-private

Second switch nvds-bridge. In my case I forgot to define it during ETN deployment wizard, so I added it after ETN provision. Connect to lab-empty loopback PortGroup for now.

2. Similar process for second ETN: lab-etn-002

Good to use different Datastore for second appliance to have more redundancy (in case you use external Storage, non vSAN)

Connect to lab-empty loopback PortGroup for now

Wait for both ETNs to be provisioned and connected to NSX Manager

Create Edge cluster (NSX -> System -> Fabric -> Nodes -> Edge Clusters)

Create Edge Bridge Profile (NSX -> System -> Fabric -> Profiles), select previously created ETNs as Primary and Secondary Nodes

Create NSX Segment (or use existent if already created) (NSX -> Networking -> Segments)

and define Edge Bridge

If you use underlay VLAN based vDS/vSS PortGroup (scenario 1), open PortGroup settings and change Security settings. Change Promiscuous mode -> “Accept” and Forget transmits -> “Accept“

If you use Overlay Segment (scenario 2), create Segment MAC discovery profile and enable MAC Learning (NSX -> Networking -> Segments -> Profiles -> Add Segment Profile)

Change your remote Segment settings MAC Discovery profile to previously created profile

Now connect both ETNs nvds-switch uplink-1 to required PortGroup or NSX Segment (NSX -> System -> Fabric -> Nodes -> select ETN -> Edit, select DPDK Fastpath Interfaces for nvds-bridge switch)

Once all configurations above completed, you can test VM to VM connectivity. Besides they are located in different environments (or even one of them connected to VLAN based PortGroup) they can use the same subnet range, they can communicate to each other and rest of the network but you need to have Gateway configured on one side only (remote or local). Do not forget to update DFW (Distributed Firewall) if you use it in your environment.

All above tested on VMware NSX version 4.2.2.2. I hope this will help you to minimize downtime during migration projects and keep your customers happy. Good luck with migrations! 😉