Created on 12-23-2019 02:01 AM Edited on 02-05-2024 01:22 AM By Jean-Philippe_P
Description
This article describes how to extend VLANs (VXLAN) over multiple WAN connections (SD-WAN).
Solution
Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments.
It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789.
SD-WAN allows to load balance traffic between multiple WAN connections and thereby providing redundancy when one of the WAN connection is unavailable.
In this scenario, FortiGate has multiple WAN connections which are configured under SD-WAN interface.
Multiple VLANs (same at both locations) are configured.
VXLAN connects locations at Layer2 over Layer3.
- WAN Configuration.
As shown on the diagram, both FortiGates have multiple WAN connections namely wan1 and wan2.
FortiGate 1 | FortiGate 2 |
# config system interface |
# config system interface |
- Loopback Interface.
A loopback interface is configured at each location.
# config system interface |
# config system interface |
- VXLAN Interface.
A VXLAN interface is configured as a bound to the loopback interface.
The remote IP configured under system.vxlan is the peer side loopback interface IP address.
# config system vxlan |
# config system vxlan |
- SD-WAN Interface.
A SD-WAN interface is used under wan1 and wan2 defined as members.
# config system virtual-wan-link |
# config system virtual-wan-link |
- Static Route.
A single static route is configured to send all the traffic outside via SD-WAN interface.
# config router static |
# config router static |
- Switch Interface.
A software switch is configured with port1 and the VXLAN interface 'vxlan1'.
Port1 is connected to an internal switch where multiple VLAN interfaces are configured.
In the configuration below, the 'set intra-switch-policy implicit' (default) command implicitly allows traffic between switch members port1 and VXLAN1.
# config system switch-interface |
# config system switch-interface |
Note that if 'set intra-switch-policy explicit' is used, it will require additional firewall policies to allow traffic between port1 and VXLAN.
- Firewall Policy.
Firewall policy is needed to allow traffic between the SD-WAN and the loopback interfaces.
# config firewall policy |
# config firewall policy |
- Testing.
When Host1 (VLAN10: 192.168.10.1/24) which is connected on switch1 tries to reach Host2 (VLAN10: 192.168.10.2/24) connected to switch2, the following behavior will be observed.
C:\Users\Host1>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=37ms TTL=50
Reply from 192.168.10.2: bytes=32 time=34ms TTL=50
Reply from 192.168.10.2: bytes=32 time=37ms TTL=50
Reply from 192.168.10.2: bytes=32 time=43ms TTL=50
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 43ms, Average = 37ms
The benefit of above setup is that if wan1 goes unreachable, traffic between the hosts at both locations will be flowing over wan2 connection.
The above scenario can also work without SD-WAN interface.
Instead of a SD-WAN interface, static routes for each WAN interface should be configured.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.