Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize

Author Post Essentials Only Full Version
danielrgrein@hotmail.com New Member Total Posts : 1 Scores: 0 Reward points: 0 Joined: 2020/11/26 18:18:53 Status: offline 2020/11/26 18:43:47 (permalink) 0 Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize Question, I set up a VXLAN over IPSEC with a soft switch to extend a network to a remote site. It works, however, I have multiple ISPs and want to have a backup path for the VXLAN over IPSEC. I was able to get it work by adding the additional "ports" to the software switch. Is it possible to control which one is the "primary" tunnel for the VXLAN extended network? One has lower latency then the other and right now it is hit and miss which one it uses. Thank you in advance for any assistance. #1 5 Replies Related Threads
Toshi Esumi Expert Member Total Posts : 2403 Scores: 233 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize 2020/11/26 22:49:49 (permalink) 0 I haven't done it myself. But based on the concept the VXLAN works and the fact that FGT doesn't do STP/RSTP, I don't think you can control which L2 path to take when redundancy exists between two switches on the FGT side. It would be decided by the switches('bridges') and you might or might not be able to control in case the hops are the same. But I believe at least FGTs pass BPDUs over VXLAN (I tested only over physical link though) by default without additional config. However, I can think of a way to get the same outcome at L3 level with a FGT pair on both ends with link-monitor. First you set a lower number of priority or distance on the primary static route over the primary VPN, then set opposite on the backup route. Then you need to configure a set of tunnel interface IPs on both ends at least on the primary VPN (it's probably not in the VXLAN over IPsec config doc), you should be able to ping the IP on the opposite end to detect the primary IPsec down with a link-monitor. In the link-monitor, you can remove the static route on the primary side to use the backup VPN when the tunnel goes down. If you decide to adopt this idea, please let me know if it worked or not. I don't see any reason not to work though. #2
andyhilton27 New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2020/11/26 23:29:10 Status: offline Re: Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize 2020/11/26 23:38:18 (permalink) 0 Is it possible to connect to 2 different vpns at the same time? Need to access 2 different programs through 2 different vpns at the same time mcdvoice mybkexperience post edited by andyhilton27 - 2020/11/28 03:48:22 #3
Toshi Esumi Expert Member Total Posts : 2403 Scores: 233 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize 2020/11/27 08:18:24 (permalink) 0 First, my suggestion never disconnect VPNs. Just control the routes. Both VPNs are up all the time. Besides, if applications use two VPNs independently, that's NOT VXLAN. Or outside of VXLAN. If a VXLAN shares one subnet, say 192.168.1.0/24, between two locations, while 172.x.y.z/16s exists at both locations for the applications, those applications wouldn't be affected by VXLAN. They are two different/independent things each other. #4
Toshi Esumi Expert Member Total Posts : 2403 Scores: 233 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize 2020/11/27 09:10:29 (permalink) 0 Actually I just pointed out my original idea's flaw myself. There is no routes to control for VXLAN traffic by link-monitor. Sorry. You really need to do it with spanning-tree protocol on the switch side. #5
emnoc Expert Member Total Posts : 5919 Scores: 394 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Layer 2 VXLAN via VPN tunnels -Multiple VPN Tunnels How to Prioritize 2020/11/27 10:48:50 (permalink) 0 yeah I was going to say the same thing. BAck to OP issues, are BPDUs being sent over ipsec-tunnels ? diag sniffer packet any "not ip" 4 Ken Felix PCNSE NSE StrongSwan #6

Jump to:

© 2021 APG vNext Commercial Version 5.5