Configuring Layer 2 Bridging in NSX

What is Layer 2 (L2) Bridging?

A Layer 2 (L2) Bridge allows connectivity between a logical switch (VXLAN based) and a VLAN based portgroup on vDS that shares the same IP address space i.e VMs connected to VXLAN and distributed portgroup are on same subnet. 

A possible use cases for this scenario can be, an application server on a logical switch need to reach a database server connected to the physical network or a customer wants to extend their application to the cloud but wants to keep certain components on-site and because its legacy application it cannot be re-IP’d or any other constraint.

Prior to NSX version 6.2, it was not possible to bridge a Logical Switch that was connected to a Distributed Logical Router: for that scenario it was required to connect the Logical Switch directly to an Edge Gateway.

With NSX 6.2 VMware introduced in-kernel software L2 Bridging capabilities that allow you to connect VLAN backed VMs to VMs connected VXLAN based network (virtual wires). L2 bridging is achieved by deploying a Logical router control VM. The control VM is used only for the bridge configuration and its pinning to a particular ESXi host.

In a L2 bridge, there is always a 1:1 relationship between VXLAN and VLAN. Although there can be multiple bridge instances on a DLR, but the same VXLAN or VLAN cannot be connected to more than one bridge.

The following prerequisites are for Layer 2 Bridging.

  • An NSX logical router must be deployed in your environment.
  • You cannot use a universal logical router to configure bridging, and you cannot add a bridge to a universal logical switch.

Add Layer 2 Bridging

In my lab, I have 2 VM’s for testing the bridging. VM L2B-01 is connected to a logical switch and have IP address 10.10.10.10

l2b-01.PNG

VM L2B-02 is connected to a distributed portgroup named “L2-Bridge-Test” and have IP address 10.10.10.11. The distributed portgroup is on VLAN 346.

l2b-02.PNG

PG.PNG

I deployed a fresh DLR in my lab and did not configured any interfaces on the DLR during deployment.

Once the distributed router is deployed, double click on it and navigate to Manage > Bridging and click on green + button to create a new bridge.

l2b-10.PNG

Provide a name for the bridge and select the logical switch and the corresponding distributed portgroup between which bridge will be established. Hit OK.

Note: If you are trying to add a portgroup here but forget to define VLAN id on that portgroup, it will not be visible in the list when you browse for it.

l2b-11

Make sure to click on Publish Changes post bridge creation. 

l2b-12

Connect Layer 2 Bridging to the appropriate distributed virtual port group

Objective of this topic was not very clear to me but I guess it refers to making configuration changes in a bridge post creation. Configuration change could include changing the portgroup in a bridge (if by mistake you mapped wrong portgroup in a bridge)

Follow below steps to make a change to the l2 bridge: 

  • Login to vSphere Web Client and navigate to Networking & Security > NSX Edges
  • Double click the distributed router where an existing bridge is configured.
  • Navigate to the “Bridging” tab and select the bridge you want to modify.
  • In the popup window, select the appropriate distributed portgroup and click “OK”.
  • Lastly, press the button “Publish” on the top of the screen when you’re added the bridge to push the change to the LDR.

Thats wrap up the objective 2.2 of the VCIX-NV Deploy exam. Stay tuned for next post of this series.

Reference Documents

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Leave a Reply