What's the best way to configure a vlxan tunnel between two sites utilising path diversity?
In the attached sketch, we already establish a single ipsec tunnel on each wan interface to various endpoints within our "cloud" and ospf is used for failover. We have a need for a vxlan tunnel to join an interface at each site on layer 2 and the expectation is that it will take advantage of the existing path diversity. Obviously to do so the vxlan tunnel cannot terminate on any wan interface. The path will traverse multiple FGTs within our network (not shown).
Would it be best to:
- build the tunnel to a loopback interface on each FGT? (sounds easy)
- use a vdom in each FGT and build the tunnel on the virtual-link? (sounds harder)
- something else?
Other than MTU (which is controllable and likely not an issue) I assume there is no issue with running the vxlan tunnel within the existing tunnels?
We run 5.4 in production, any advantage in moving to 5.6 for this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So far in bench testing we have built the vxlan tunnel to a loopback interface on each FGT, with the FGTs back to back on wan1.
The tunnel is working fine which essentially answers the question above. We will now add the real world paths and diversity but that shouldn't change anything.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.