Not all virtual networks are going to be connected to the rest of the network in the exact same way; some Logical Switches, in fact, will want to talk directly over layer 2 to an existing VLAN-backed port group, or need to reach a gateway or service interface that still lives elsewhere in the physical world. These are some reasons you may want to implement a layer 2 bridge within NSX, especially if you are dealing with a migration effort to get virtual machines over to a Logical Switch, or are splitting a subnet across physical and virtual workloads.
Layer 2 bridging is one of the services provided by a Logical Router. The router is not acting as a gateway for traffic in the traditional sense; it literally maps a Logical Switch to a VLAN port group. This bridging activity takes place on the same ESXi host that is running the active router instance (assuming you deploy them in pairs, one is active and the other is standby).
Here are the steps involved to get a layer 2 bridge constructed and operational.
Creating a Logical Router
Fire up your super trusty vSphere Web Client and navigate to Networking & Security > NSX Edges. You may find it confusing that Logical Routers are made in the NSX Edges area, but I assure you that there is no “Logical Router” menu item like you see with Logical Switches. You choose which type of router to deploy when you build one.
To start, click the green plus button to start the creation wizard. Choose the Logical (Distributed) Router option, and give it a name. For this example, I’m using the name L2Bridge.
Next, configure the name, password, access settings, and deployment type. I’m just going with a single node for the lab. Make sure to drop in a super complex password or else the wizard will nag you.
The configure deployment screen is where many folks goof up. If you pass up this screen, no actual appliance will be deployed. So, pick a data center location, then pick the resource pool, datastore, and optionally a folder and host. I don’t specify a host because I let DRS handle that for me.
The router will need a management interface. I’ll stick it on my lab port group but don’t usually bother with an IP address; I can just open the VM console if the need arises. Because this is a purpose-built router for bridging, I don’t actually need to connect any interfaces to the router. We’ll pick which networks to bridge later in the process.
Because I have no IP addresses on the router, I can skip the default gateway settings and finish the wizard.
Keep an eyeball on the status. Once it changes from Busy to Deployed, you’re good to move on.
Layer 2 Bridge Configuration
Now that the new router is deployed, you’ll need to double click on the router ID entry in the NSX Edges page. It’s not very intuitive, so I’ve put a little mouse explosion graphic in the screenshot below. Boom!
Click on Manage > Bridging. You should see a list of zero bridge ID entries. Let’s fix that! Click on the green plus sign to add a new bridge.
The Add Bridge menu is very simple. Pick a name for this bridge instance, then choose the Logical Switch and Distributed Port Group to bridge. You can use the little graphic images to pick a Logical Switch and Distributed Port Group. They can be found next to the numbers 3 and 4 in my graphic below. I’ve decided to bridge the Desktop-Templates Logical Switch that was created in the previous post to my lab port group on VLAN 20.
The final step is to review and publish the changes to your router. Click Publish if it looks good.
After a few moments, the bridge ID will populate and your new layer 2 bridge is done.
Testing the New Layer 2 Bridge
I’ll go ahead and put the virtual NICs of a few desktop VMs onto the Desktop-Templates port group.
I’ve logged on to the Windows 7 template VM. Let’s see if it can ping in and out of the Logical Switch. I’ll first ping the SVI for VLAN 20, 172.16.20.1, and then Google.
Success. It really is that simple. I’d caution folks to deploy the Logical Router in an HA pair if you’re doing this outside of a lab. Single points of failure are evil.
