NSX

VMware NSX Layer 2 Bridge Configuration

I have been playing around a lot with NSX in the home lab lately and decided to revisit the NSX Layer 2 Bridge functionality especially since now much of the configuration can be done in the HTML 5 interface. The NSX Layer 2 Bridge is an interesting tool that can be used in various use cases that can be helpful. There can be requirements from a network perspective that require ensuring the same layer 2/broadcast domain for workloads to be able to communicate from a network perspective. In this post, we will take a look at VMware NSX Layer 2 Bridge Configuration and the various use cases and capabilities as well as limitations.

What is the purpose for the Layer 2 Bridge?

The Layer 2 bridge makes communication from a logical switch and a physical VLAN possible by bridging the Logical Switch to the physical network by way of a VLAN enabled Distributed Port Group. What are the use cases for this type of configuration?

The following use cases are defined by VMware as potential Layer 2 bridge use case candidates:

Physical to virtual, or virtual to virtual migration – Using the NSX layer 2 bridge you can migrate workloads inside NSX and outside without losing the IP addressing scheme needed for communication

  • Allow physical resources to be able to communicate with the VMs that reside on a logical switch.
  • The Layer 2 bridge also allows integrating a physical network device such as a router into the NSX environment.

Additional use cases that are found in many real world environments include the following:

  • DR use cases where reconfiguring IP addresses is not a consideration due to constraints in legacy applications
  • Hybrid cloud environments where again, you need to have the same IP addresses configuring and connectivity between the cloud and on-premises environments on the same layer 2 broadcast domain.

VMware NSX Layer 2 Bridge Configuration

The first thing I am going to do is create a NSX Logical Switch. The Logical Switch is the VXLAN based switch that can create logical networks across physical network infrastructure. This means you can have the same address space across different underlying routed networks. Navigate to NSX Local Switches > Add.

Creating-a-new-Logical-Switch-in-NSX
Creating a new Logical Switch in NSX

The New Logical Switch dialog box has you name the Logical Switch, Transport Zone, Replication Mode, and the type of discovery.

Creating-a-new-NSX-Logical-Switch-and-replication-mode
Creating a new NSX Logical Switch and replication mode

Once the Logical Switch is created, we can now create the Distributed Logical Router. Navigate to NSX Edges > Add.

Adding-a-Distributed-Logical-Router-for-creating-an-NSX-Layer-2-Bridge
Adding a Distributed Logical Router for creating an NSX Layer 2 Bridge

The New Distributed Logical Router wizard launches. The first screen has you configure the basic details of the DLR. Under the deployment options, you can deploy the Control VMs and High Availability if desired.

Creating-a-New-Distributed-Logical-Router-for-Layer-2-Bridge-purposes
Creating a New Distributed Logical Router for Layer 2 Bridge purposes

Configure the user name and password as well as SSH configuration and FIPS mode.

Under-settings-configuring-password-SSH-access-and-Loggin-level
Under settings configuring password SSH access and Loggin level

On step 3, the deployment configuration, click the big plus sign for Add Edge Appliance VM.

Adding-Edge-Appliance-VM
Under settings configuring password SSH access and Logging level

The Add Edge Appliance VM dialog box pops up. The VM configuration includes the Datacenter, Cluster/Resource Pool, Datastore, Host, Folder, Resource Reservation, CPU, and Memory.

Edge-Appliance-VM-Settings
Edge Appliance VM Settings

Click the edit pen under the Management/ HA Interface configuration.

Configuring-the-Management-HA-interface
Configuring the Management HA interface

You can select the management interface to reside on the Logical Switch or the Distributed Virtual Port Group.

Create-the-management-interface-on-the-Logical-Switch
Create the management interface on the Logical Switch
Distributed-Virtual-Port-Group-for-Management-interface
Distributed Virtual Port Group for Management interface

Deployment configuration is set including the Management/HA Interface.

Deployment-Configuration-of-the-Edge-Appliance
Deployment Configuration of the Edge Appliance

On the configure interfaces, you can leave this blank here.

Configure-Interfaces
Configure Interfaces

Default Gateway can be left blank.

Default-Gateway-Configuration
Default Gateway Configuration

Review and confirm the Distributed Logical Router configuration.

Review-the-configuration-of-the-Distributed-Logical-Router
Review the configuration of the Distributed Logical Router

The DLR is deployed successfully.

Distributed-Logical-Router-Deployed-successfully
Distributed Logical Router Deployed successfully

To deploy the Layer 2 Bridge, we need to go back to the Flex client and Manage the properties of the Distributed Logical Router. Click Bridging and then click the green plus sign.

Adding-a-new-Layer-2-Bridge
Adding a new Layer 2 Bridge

The Add Bridge configuration pops up. You have to assign a name, Logical Switch, and Distributed Virtual Port Group. ***Note*** There are a couple of very important details on the Distributed Virtual Port Group that can be used.

  • You must have a VLAN ID assigned to the DPG, default VLAN 1 won’t work.
  • The Distributed Port Group must be a port group on the same vSphere Distributed Switch that handles the VXLAN VTEPs
  • If either of the two things above are not true, you will not see the expected DPG appear on the selection screen.
  • The Layer 2 Bridge is also pinned to the particular host that is providing the bridge from Logical to physical.
Add-the-Bridge-including-the-Logical-Switch-and-Distributed-Port-Group
Adding a new Layer 2 Bridge
After-choosing-the-Layer-2-Bridge-Name-Logical-Switch-and-Distributed-Port-Group
After choosing the Layer 2 Bridge Name, Logical Switch and Distributed Port Group

As you can see below, the test workstations are in different routed environments or at least TTYLinuxProd 2 when compared to TTYLinuxProd1. TTYLinuxProd3 is on the physical DGP backed VLAN and not on the Logical Switch.

Logical-Switch-allows-communication-on-the-same-network-despite-underlying-physical-networks
Logical Switch allows communication on the same network despite underlying physical networks

Pings between the two workstations on the Logical Switch are successful. This shows that VXLAN traffic is successful.

Connectivity-tests-between-the-dissimilar-underlying-networks-on-the-same-Logical-Switch-are-successful
Connectivity tests between the dissimilar underlying networks on the same Logical Switch are successful

Just a note here. Before the successful ping tests above between the two workstations connected on the Logical Switch, my Palo Alto firewall was blocking the VXLAN UDP traffic between the VTEPs. I had to add an exception for this traffic. Keep in mind this is a consideration for successful VXLAN communication between VTEPs that span routed environments where a firewall(s) is in play.

Firewall-blocking-VXLAN-UDP-traffic

After attaching the layer 2 bridge in the environment, I can now successfully ping from TTYLinuxProd3 workstation on the VLAN backed DPG. We have successfully bridged traffic between the Logical Switch and the “Physical” network backed by a VLAN.

Workstation-on-the-bridged-VLAN-is-able-to-ping-a-workstation-on-the-logical-switch
Workstation on the bridged VLAN is able to ping a workstation on the logical switch

Takeaways

VMware NSX Layer 2 Bridge Configuration provides an extremely interesting and powerful tool to be able to extend these VXLAN enabled networks to the physical network or a “physical” network that is comprised of a virtual portgroup that is backed by a VLAN. The Layer 2 bridge can be a great way to alleviate network constraints in legacy applications that may need to have the same IP scheme and layer 2 broadcast domain. Using NSX, the possibilities to have your networks live “anywhere” becomes much more doable without having too much network complexity. Keep in mind the constraints with the L2 Bridge including the requirement for a VLAN backed DPG, the DPG must exist on the same vDS that hosts the VTEPs.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.