5 steps to Setup L2VPN on Alibaba Cloud VMware Solution (ACVS) using NSX-T 3.x
Alibaba Cloud VMware Solution (ACVS) is a VMware validated solution with on-going validation and testing of enhancements and upgrades. Alibaba cloud manages and maintains private cloud infrastructure and software.
ACVS provides you with private clouds contain vSphere clusters, NSX and vSAN that built from dedicated bare-metal xDragon infrastructure on AliCloud. It allows you to migrate workloads from on-premises data center, deploy new VMs, and consume Alibaba Cloud native services from your private clouds.
ACVS offers an environment that accessible from on-premises and AliCloud VPC or native services. The services like Express Connect and VPN Gateway can deliver the connectivity. On top of that, NSX-T Data Center also supports several types of VPNs,
- IPSec VPN offers site-to-site connectivity between an NSX T0/T1 and remote sites.
- L2 VPN allows you to extend your datacenter by stretching logical networks (both VLAN and VxLAN) and allowing VMs to retain network connectivity across geographical boundaries.
The advantage of L2VPN is that VMs remain on the same subnet when they are moved between sites and their IP addresses do not change. So, with L2 VPN service, enterprises can seamlessly migrate workloads between different physical sites.
As introduced in the new feature in NSX-T 3.x, in this design we use T1 to run L2PVN service at on-prem to connect to ACVS side that runs on T0. Configuring an L2 VPN requires that you configure an L2 VPN service in Server mode and then another L2 VPN service in Client mode.
Before configuring the L2VPN, you need to have connection and basic setup be ready and in place. These include connection between two sites, NSX-T 3.x deployed and T1 router at on-prem site. Some parameters have to well designed prior to the installation,
- Endpoint IP
- Endpoint ID
- Local ID
- Tunnel interface subnet
- Pre-shared Key
- VPN Tunnel ID
- Local Egress Gateway IP
- Segment and Gateway
The installation process is back and forth among IPSec, server, client, L2VPN, cloud, segment etc. which are easy to get you lost in the middle of configuration. We follow these steps to finish the whole process, separated by server side and client side, which comprised of VPN service, local endpoint, L2VPN session and segment bonding.
The configuration starts from Server side that is our on-prem
Step 1: select “IPSec” under Add Service of VPN Services, to provide name and select proper Gateway, in this design we use T1 on server side.
Step 2: select “L2VPN Server” under Add Service of VPN Services, be noted to not connect to To but the pre-deployed T1.
Step3: next we will configure the Local Endpoint, the local ID will keep the same as endpoint IP address for easy management in the lab.
Step4: the L2VPN session we are setting up is Server part still, this session combines VPN service and Endpoint together, also the parameters that essential for establish the tunnel like PSK, remote IP/ID, tunnel int etc.
Step 5: only the last step here in the Server side, in you need download the config and save it to you computer for need when you do the Client side L2VPN settings.
Only the content inside of quotes to be copied and pasted to Client.
Well, those are all the settings on the Server side, just follow the same steps to repeat at Client side, you should be able to see that Status under L2VPN session turns Green and UP.
After setting up the segment that to be stretched between cloud and on-prem, as well as VM network connections, the L2VPN enables us to extend network via tunnel and VM can access each other subsequently.
From ACVS cloud side to access on-prem,
Here is from on-prem to cloud,
To trace the statistics, NSX-T provides a summary that you may find packet and data in and out.
With NSX-T L2VPN, you can easily stretch multiple logical networks (both VLAN and VXLAN) across different geographical sites. Besides, you can configure multiple sites to the L2VPN server, which allows the VMs remain on the same subnet in spite of being migrated between these sites, which enables you to extend your datacenter to cloud.
