Layer 2 bridging with NSX

The following diagram presents an overview for an architecture pattern for using layer 2 bridging with NSX edges in IBM Cloud classic infrastructure.

The following list is a summary of the architecture pattern deployment:

1. An L2 bridge requires an Edge cluster and an Edge Bridge profile to be deployed. An Edge Bridge profile specifies which Edge cluster to use for bridging and which Edge transport node acts as the primary and backup bridge.
2. You need to have a new VLAN for the bridged devices. After the VLAN is provisioned, you can request to trunk the hosts. VLAN must be trunked to all hosts in your cluster through IBM Cloud Classic portal (Classic Infrastructure > Network > Gateway appliances). Then, add the hosts to a wanted NSX VLAN transport zone, for example tz-bridge.
3. On the edge cluster uplink distributed port group, enable Promiscuous mode and Forged transmits for bridging. Add these settings to the wanted NSX VLAN transport zone, for example tz-bridge.
4. When you configure an NSX overlay segment, you can specify an Edge bridge profile to enable layer 2 bridging. Use the VLAN ID of the additional bridged VLAN on your configuration.
5. Provision your servers (for example Bare Metal Servers) normally to the VLAN, and after the provisioning you can change the IP configuration to match your NSX overlay design. Logically, you can attach the server to the same subnet as configured on your NSX overlay segment.
6. After the change, your server's default gateway is Tier 1 (T1) gateway's IP address. You can then communicate with the VMs on your overlay segments and use NSX gateway firewalls.

To use the capability, you can either use the existing workload edge cluster, or deploy a new edge cluster for bridging. If you use the existing workload edge cluster, you must create the edge bridge profile by using that cluster and change the existing-distributed port group to allow Promiscuous mode and Forged transmits. This setup shares the capacity of the private uplinks from the edge nodes for both private routed and bridged traffic. Transport zones are defined in the edge host switch (N-VDS), for example add the new tz-bridge to nvds-edge-private.

Alternatively, you can deploy a new edge cluster for bridging. In this case, you must create new edge nodes and create a new edge cluster by using these nodes. When you configure the edge bridge profile, you can then use this edge cluster for bridging only. This alternative scales better, and provides a better dedicated bridging performance. Transport zones are defined in the edge host switch (N-VDS), for example add the new tz-bridge to nvds-bridge.

Make sure you have the bridged VLANs transport zone (for example tz-bridge) configured on all wanted transport nodes.

Considerations

When you design or deploy this architecture pattern, consider the following steps:

• Using the existing workload edge cluster is good for testing the layer 2 capability and for small deployments.
• If you have a larger deployment, deploying a dedicated edge cluster or several edge clusters offers better performance and generally scales better.
• If you use new edge nodes for bridging, they do not have to be in the same network or POD as the workload edge. Edge nodes are transport nodes and they communicate with the other NSX transport nodes (edges or hosts) through Geneve tunnels over layer 3 routed connections by using the IBM Cloud classic network as a transport network.

Related links

• VMware vSphere overview
• Getting started with IBM Cloud Gateway Appliance
• Create an NSX Edge Transport Node
• Edge Bridging: Extending Overlay Segments to VLAN