Layer 2 Networking
Use Layer 2 Networks in Private Cloud Director to create networks that connect VMs without managed IP, DHCP, or routing services.
Overview
Layer 2 Network is a beta feature in the 2026.1 release. Please contact the support team for further details.
A Layer 2 Network (L2 Network) is an L2-only physical network that provides basic Layer 2 connectivity between virtual machines, without managed IP addressing, routing, or security services. Layer 2 Networks are available only when creating Physical Networks. Virtual Networks are always Managed Networks and do not have an L2 option.
Use a Layer 2 Network when your infrastructure already handles IP management externally, or when you are migrating workloads from VMware and want equivalent L2 behaviour without adopting managed networking. If you need subnets, DHCP, routers, or security groups, use a managed Virtual Network or Physical Network instead.
How Layer 2 Networks Work
Layer 2 Networks provide pure Layer 2 connectivity between VMs. This means:
No managed IP addressing. You configure IP addresses directly inside the guest OS using static assignment or an external DHCP server.
No routing. VMs on the same Layer 2 Network communicate at Layer 2. Cross-network traffic requires external routing infrastructure.
No security groups. Port-level security is managed outside of Private Cloud Director.
No subnet configuration. Layer 2 Networks operate only at the data link layerCreate a Layer 2 Network
Prerequisites
A physical network must be configured in your cluster blueprint. See Cluster Blueprint
The VLAN ID you specify must exist on your physical network infrastructure.
Perform the following steps.
On the Private Cloud Director UI , navigate to Networks and Security > Networks.
Select Create Network and then select Physical Network.
Under Basic Information, enter the following details.
Name
Enter a name for the network.
Description
Optionally, enter a description.
Admin State
Select Up to make the network available for VM provisioning immediately, or Down to defer availability.
MTU
Optionally, set the maximum transmission unit. Minimum value is 68 for IPv4 and 1280 for IPv6.
Under Network Type, select Layer 2 Network.
NOTE Selecting Layer 2 Network hides all subnets, DHCP, router, security groups, and public IP fields. These are not applicable to Layer 2 Networks. If you choose to configure these instances, configure the Network Type to Managed Network.
Enter the following details.
Network Label
Select the network label that maps this network to the corresponding physical network on your hypervisors.
Network Type
Select Flat (Untagged) for a network with no VLAN tags, or VLAN (Tagged) for a network that uses VLAN tagging.
Optionally, select Make Shared (Across All Tenants) to make the network type available to every tenant.
Select Create Physical Network.
The network appears in Networks and Security > Networks with a Layer 2 Network tag corresponding to the network name.
Using pcdctl CLI
PHYSICAL_NETWORK_LABEL
The label configured in the blueprint.
NETWORK_TYPE
Either vlan or flat.
VLAN_TAG
The VLAN tag. Only required if NETWORK_TYPE is vlan.
NETWORK_NAME
The name you want to assign to the network.
The --disable-port-security option is required for L2-only networks because port security is a Layer 3 feature and does not apply to L2-only networks.
On a successful network creation, you should see a similar output.
Deploy a VM on a Layer 2 Network
You can configure a VM for a Layer 2 Network when deploying a new VM from the Virtual Machines section.
Navigate to Virtual Machines > Virtual Machines.
Select Deploy New VM and proceed through the VM creation wizard.
On Select Network Type, choose Layer 2 Network.
Select the Layer 2 Network you want to use from the list. Managed Network options show IP configuration fields. Layer 2 Network selection hides all IP configuration fields.
Select Next Step to continue creating the VM.
NOTE
When deploying a VM on a Layer 2 Network:
The security group field is disabled and cannot be changed.
You can only create one VM at a time. To create multiple VMs on the same Layer 2 Network, repeat the deployment process for each VM.
Complete the remaining VM configuration and select Deploy.
After deployment, the VM instance details the following for the network attachment:
Network:
[Network Name] (Layer 2)IP Address:
N/A — Configure in guest OS
NOTE
External DHCP configuration: If using an external DHCP server for IP assignment, ensure the DHCP server is reachable in the L2 network's broadcast domain.
Cloud-init workaround for network configuration: There is a known issue with setting network configurations in cloud-init. As a workaround, use the
runcmdsection of cloud-init to configure static IP or DHCP.
Here is an example for an Ubuntu VM.
NOTE
You may need to make changes to make this work for other operating systems.
Using pcdctl CLI
Create the L2-only port that will be associated with the VM:
This command returns the port ID upon successful creation.
Here is an example of the output.
Attach the port created and create a VM:
Here is an example.
Clone a VM on a Layer 2 Network
When cloning a VM, you can select a Layer 2 Network during the clone workflow.
The network selection page that appears during cloning follows the same workflow as the VM deployment process.
Navigate to Virtual Machines > Virtual Machines.
Select the VM you want to clone.
Select Clone.
On the network selection page, choose Layer 2 Network as the network type.
Select the Layer 2 Network from the list and complete the clone process.
The same limitations apply: security groups are disabled, and only one VM can be cloned at a time.
View Layer 2 Network details
To view details and connected VMs for a Layer 2 Network:
Navigate to Networks and Security > Networks.
Identify Layer 2 Networks by the Layer 2 Network tag displayed next to each network name. Select the specific Layer 2 Network you want to inspect.
The network details page displays the network type as Physical. You will not be able to view details on Subnets, Router Attachments, and DHCP Configuration.
Edit a Layer 2 Network
You can update the name and description of a Layer 2 Network after it is created. The VLAN ID and physical network cannot be changed.
Navigate to Networks and Security > Networks.
Select the Layer 2 Network you want to edit.
Select Edit.
Update the Name or Description as needed.
Select Save.
Delete a Layer 2 Network
Deleting a Layer 2 Network detaches all VMs connected to it. Ensure no active workloads depend on the network before proceeding.
Navigate to Networks and Security > Networks.
Select the Layer 2 Network you want to delete.
Select Delete.
Confirm the deletion when prompted.
Next steps
After creating a Layer 2 Network and configuring IP addresses in your guest OS, you can continue managing your VMs:
Last updated
Was this helpful?