Multiple site using vxlan over ipsec

jm-barreto · ‎05-02-2023

Hi

I have a requirement in my job to develop a connection that will be used as a Disaster Recovery between multiple sites (Customers) to their private cloud environment or colocation in our Data Center. I created a lab, and I was able to make this work using a static VPN tunnel and extended the customer LAN using vxlan. But I'd like some information or recommendation if this is the best implementation to fulfill this requirement. Also, I want to know if there is some limitation. I'm using a software switch to bridge the Vxlan and the VLAN; is there any limitation on how many software switches can I create? Also, how is the bandwidth managed in this scenario? Is the total backplane Bandwidth of the firewall divided on each software switch? I will use a Fortigate 100F as the "HUB" firewall and 60F for the remote site.

Also, I was trying to do another scenario but using a dial-up VPN. I want to make this work with dial-up because I won't be doing much regarding the VPN tunnel on the HUB side. But I follow this guide: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/247006/vxlan-over-ipsec-using-a-vxlan-tunnel-endpoint

And I get the tunnel up, but when configuring the ip in the VPN interface, I can't get a reply from the other end. I was just testing with one spoke first. My configuration is exactly as the guide.

I notice that this guide, the spoke are in the same segment. It is posible to do vxlan with a dial-up vpn but each spoke its a separate customer? Also can a customer can pass more that 1 vxlan/vlan?

I will apreciate any information that you can provide

Thanks

JBC

Christian_89 · ‎05-02-2023

For your first scenario, using a static VPN tunnel and extending the customer LAN using VXLAN is a valid approach to achieve disaster recovery between multiple sites. However, you need to consider the bandwidth requirements and potential limitations of your firewall model. The FortiGate 100F has a total backplane bandwidth of 20 Gbps, so the bandwidth will be shared among all interfaces, including software switches. Therefore, you may want to consider using a higher-end FortiGate model or multiple firewalls for better performance.

Regarding the software switch limitation, the number of software switches you can create depends on the available resources of your firewall. The FortiGate 100F supports up to 16 virtual LAN interfaces (VLANs) and 8 virtual switches. You can check the available resources using the "get system performance status" command in the CLI.

For your second scenario, VXLAN over dial-up VPN is possible, but each spoke needs to be in a separate segment to avoid IP address conflicts. It is also possible for a customer to pass more than one VXLAN/VLAN, but you need to configure the firewall accordingly to allow the traffic to pass through.

Regarding the issue with the VPN interface not getting a reply from the other end, you may want to check the firewall policies and routing configurations to ensure that the traffic is being forwarded correctly. You can also use packet capture to troubleshoot the issue.

jm-barreto · ‎05-03-2023

Hi @Christian_89
Thanks for the information
Its there a documentation or where I can find the information that shows how many software switch and VLAN I can create? I check the Data Sheet for the 100F but doesn't specify those limitation. Also I validate the "print tablesize" command in CLI and there no limitation on system.switch-interface and on system.interface its says that it could use 4096 (hardware & virtual).

JBC

Multiple site using vxlan over ipsec

Nominate a Forum Post for Knowledge Article Creation