Avatar of Raymond Norton
Raymond Norton
 asked on

Solution needed to ex layer 2 vlans across layer 3 link

We utilize Fortigate vdoms for  many school districts. Currently, as recommended by Fortigate, we extend the school vlans across our WAN. The vlans become virtual interfaces on the Fortigate vdom which firewall policies are applied to. This works very well for us but, recently, this design caused issues on our WAN because of LAN issues at one of the districts bleeding over to the WAN. The solution we are currently implementing is to create a single, transient vlan and route all other vlan subnets through it to the Fortigate. This works for simple configurations but is not a viable solution for complex Fortigate configurations. The best solution would allow us to  extend the district layer 2 vlans across a layer 3 connection and then pick up the vlan again at the Fortigate so it can be used as a virtual interface with the same subnet as what is used at the school district. (See drawing) .

The switches we are currently using are Aruba 3810s

What options are available in this scenario?

Thank you for assistance!
Layer-3-link.pdf
* VLANRoutersNetworking

Avatar of undefined
Last Comment
skullnobrains

8/22/2022 - Mon
skullnobrains

level 2 over level 3 point to various tunnelling technologies : IPSEC VPNs, gre, gif ... fortigate handles at least ipsec and gre. not sure about gif.

that said, you probably should reconsider whether using the same lans and vlans in all locations is indeed your best bet. unless you have dedicated fiber links between sites, you probably should stick to different L3  networks at each site, for performance and security reasons.
Raymond Norton

ASKER
We need the layer 2 interfaces for full functionality. Did some research and it seems I may be able to implement VxLAN. Will work with it, next week to see if it is the answer.
skullnobrains

Vxlan should be workable but likely not your best bet. the vxlan idea is to produce distributed switching on a very large scale which will likely proove complex to setup. If you have ciscos, ghey probably handle it. Not sure which version of fortios would handle it
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
myramu

Hello Raymond,

You may use vxlan over IPSec to trasit the same vlan from one site to other site. Refer the below link for FortiGate configuration,
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38614

If there is no strong reason I won't recommend to use same VLANs across all sites. This creates complex routing (Also L2 broadcasts over utilize your wan bandwidth) and troubleshooting issues when you have network problems.

Good Luck!
Raymond Norton

ASKER
We have 19 school districts. All with multiple, unique vlans. The vlans only extend from each district to the Fortigate vdom and are not configured on the other district switches.

Thank you for your response. I will check it out on Monday!
skullnobrains

That kind of setup would call for gre over ipsec. I kinda remember this is builtin fortinet. That said, there is little point to have any vlan go past the local gateway. Good luck
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
kevinhsieh

I run a complex network of 20 sites. Each site has multiple VLANs.

I have private point to point links via L2, as well as MPLS like L3 links, and IPsec tunnels. The entire network is routed. There is no need for spanning L2 across sites in my network, and I really doubt that you have needs for it either.

Spanning L2 across sites is more important for trying g to span a single datacenter across multiple locations.

You may want to bring in a network engineer to look at what the goals and needs are, and to develop a better solution. It is quite possible that you just think you need to stretch L2 across sites, where another solution would be better.
atlas_shuddered

VXLAN is definitely a potential solution but I am betting that it is going to require more engineering and impact than you would want to put in.

That said, why not utilize L2TP?
skullnobrains

seems sensible to me as well. fortinet handles l2TP decently as long as it is setup between fortinets. it might proove difficult to get it to work with different vendors on the remote end of the tunnels.

but again intersite level 2 is quite a pain ( i'm currently using such a setup ) and i see little point in the exposed scenario. additionally it brings a whole world of security issues.

i personally restrict the level 2 usage to wan ip sharing between datacenters, a single routing vlan that handles all the lan to lan traffic, and a few edge cases such as deploying a new deployer on a new datacenter using existing deployers of another one. and really recommend you reconsider expanding lans past each site's firewall.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Raymond Norton

ASKER
The Fortigate IS the firewall for each site. (Vdom) and extending vlans via a tunnel is our best approach. I will look into l2tp along with VxLAN.
skullnobrains

stick with l2tp : this is quite trivial to setup on fortios. good luck
atlas_shuddered

One short note, in case I was less than transparent above.  Be careful with VXLAN and make sure you are understanding what you are getting into before you implement.  It is a very powerful technology, which looks simple on the surface but can lead to numerous headaches if you aren't going in armed.

Major caveats include:
Equipment dependent (older hardware won't support it),
Topology dependent (to a great extent anyway - you don't have to do spine and leaf I guess but your headache factor will definitely go up otherwise),
Layer 3 boundary dependent (VXLAN is all or none within layer 2 areas - transitions to traditional layer 2/non-segment requires a layer 3 boundary),

Not trying to dissuade you, it is a great technology.  Just make sure you have thought it through before you pull the trigger because it can go from butterflies and unicorn farts to the proverbial mega blender 6x10^9, quick, fast and in a hurry if your ducks aren't in a row going in.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Raymond Norton

ASKER
Good timing. I just successfully ran my first vxlan tunnel test, on Aruba 3810s, along side standard L2 vlans and both are working as expected. I wasn't sure if it had to be one or the other but hoped they could coexist while we make the transition. Once the core switch arrives, we will test from one site before implementing on a larger scale. I am working with Aruba with each step to avoid missteps and caveats.
ASKER CERTIFIED SOLUTION
Raymond Norton

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
skullnobrains

Hmm... missed the part you had a single remote fortinet. Good to see you got it working.