• You are setting up communication between different VMs on different hosts, all connected to the same NSX overlay segment configured with L2 bridge.
  • Without the L2 bridge, you observe that pings between the VMs are consistent; however, when you introduce the L2 bridge to connect a vlan to the overlay segment, pings time out periodically.
• The NSX segment MAC table output on the VM's host shows the incorrect outer IP of the L2 bridge IP for the host kernel entry, rather than the destination edge TEP for the VM's MAC address, as observed in the LCP remote entry.
  • VM traffic shouldn't be routed to the VLAN bridge IP when both the source and destination VMs are connected to the same NSX overlay segment. It should instead be handled by their respective edge TEP IPs.

host1> get segment ####aaaa-####-####-####-####3c####a7 mac-table
Tue Nov ## 2025 UTC 18:23:05.455
                             Segment MAC Table
---------------------------------------------------------------------------

                             Host Kernel Entry
===========================================================================
     Inner MAC            Outer MAC            Outer IP      Flags
 5c:5a:c7:2e:##:##    ff:ff:ff:ff:ff:ff      10.1.##.##     0xd
                                          ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0x9
 5c:5a:c7:2e:##:##    ff:ff:ff:ff:ff:ff      10.1.##.##     0xd
 00:50:56:a5:##:##    ff:ff:ff:ff:ff:ff      10.1.##.##     0x1
 00:50:56:a5:##:##    00:50:56:64:##:##      10.1.##.##     0x3                       -----> Incorrect outer IP
 d2:39:ea:af:##:##    ff:ff:ff:ff:ff:ff      10.1.##.##     0xd
 d2:39:ea:af:##:##    ff:ff:ff:ff:ff:ff      10.1.##.##     0xd

                             LCP Remote Entry
===========================================================================
     Inner MAC            Outer MAC            Outer IP
 00:50:56:a5:##:##    00:50:56:64:##:##      10.18.##.##                              -----> correct outer IP

                              LCP Local Entry
===========================================================================
     Inner MAC            Outer MAC            Outer IP
 00:50:56:a5:##:##    00:50:56:69:##:##      10.18.##.##

VMware NSX

• Promiscuous mode is set to 'Accept' in security settings of the distributed port group of the vlan bridge interface along with MAC learning enabled.
  • If MAC learning is enabled for L2 bridging configuration, distributed port group's security settings that the vlan bridge interface is connected to should have 'Promiscuous mode' set as 'Reject' and 'forged transmits' set as 'Accept'. 

Note: Setting 'forged transmits' to 'Accept' with mac learning enabled is not clearly pointed out in the techdoc. Configure an Edge VM for Bridging: Option 2a

If mac learning is enabled, navigate to Distributed Port Group --> security setting wizard for the vlan bridge interface portgroup.

1. Set 'forged transmits' to 'Accept'

2. Set 'promiscuous mode' to 'Reject' 

• For more information on configuring L2 bridging with mac learning setting enabled, refer this techdoc Configure an Edge VM for Bridging: Option 2a.

Note: Setting 'forged transmits' to 'Accept' and 'promiscuous mode' to 'Reject' with mac learning enabled is not clearly pointed out in the techdoc but is required for L2 bridging to work.