We help IT Professionals succeed at work.

Solution needed to ex layer 2 vlans across layer 3 link

Raymond Norton
on
We utilize Fortigate vdoms for  many school districts. Currently, as recommended by Fortigate, we extend the school vlans across our WAN. The vlans become virtual interfaces on the Fortigate vdom which firewall policies are applied to. This works very well for us but, recently, this design caused issues on our WAN because of LAN issues at one of the districts bleeding over to the WAN. The solution we are currently implementing is to create a single, transient vlan and route all other vlan subnets through it to the Fortigate. This works for simple configurations but is not a viable solution for complex Fortigate configurations. The best solution would allow us to  extend the district layer 2 vlans across a layer 3 connection and then pick up the vlan again at the Fortigate so it can be used as a virtual interface with the same subnet as what is used at the school district. (See drawing) .

The switches we are currently using are Aruba 3810s

What options are available in this scenario?

Thank you for assistance!
Layer-3-link.pdf
Comment
Watch Question

level 2 over level 3 point to various tunnelling technologies : IPSEC VPNs, gre, gif ... fortigate handles at least ipsec and gre. not sure about gif.

that said, you probably should reconsider whether using the same lans and vlans in all locations is indeed your best bet. unless you have dedicated fiber links between sites, you probably should stick to different L3  networks at each site, for performance and security reasons.
Raymond NortonWAN Admin

Author

Commented:
We need the layer 2 interfaces for full functionality. Did some research and it seems I may be able to implement VxLAN. Will work with it, next week to see if it is the answer.
Vxlan should be workable but likely not your best bet. the vxlan idea is to produce distributed switching on a very large scale which will likely proove complex to setup. If you have ciscos, ghey probably handle it. Not sure which version of fortios would handle it
Hello Raymond,

You may use vxlan over IPSec to trasit the same vlan from one site to other site. Refer the below link for FortiGate configuration,
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38614

If there is no strong reason I won't recommend to use same VLANs across all sites. This creates complex routing (Also L2 broadcasts over utilize your wan bandwidth) and troubleshooting issues when you have network problems.

Good Luck!
Raymond NortonWAN Admin

Author

Commented:
We have 19 school districts. All with multiple, unique vlans. The vlans only extend from each district to the Fortigate vdom and are not configured on the other district switches.

Thank you for your response. I will check it out on Monday!
That kind of setup would call for gre over ipsec. I kinda remember this is builtin fortinet. That said, there is little point to have any vlan go past the local gateway. Good luck
kevinhsiehNetwork Engineer

Commented:
I run a complex network of 20 sites. Each site has multiple VLANs.

I have private point to point links via L2, as well as MPLS like L3 links, and IPsec tunnels. The entire network is routed. There is no need for spanning L2 across sites in my network, and I really doubt that you have needs for it either.

Spanning L2 across sites is more important for trying g to span a single datacenter across multiple locations.

You may want to bring in a network engineer to look at what the goals and needs are, and to develop a better solution. It is quite possible that you just think you need to stretch L2 across sites, where another solution would be better.
atlas_shudderedSr. Network Engineer

Commented:
VXLAN is definitely a potential solution but I am betting that it is going to require more engineering and impact than you would want to put in.

That said, why not utilize L2TP?
seems sensible to me as well. fortinet handles l2TP decently as long as it is setup between fortinets. it might proove difficult to get it to work with different vendors on the remote end of the tunnels.

but again intersite level 2 is quite a pain ( i'm currently using such a setup ) and i see little point in the exposed scenario. additionally it brings a whole world of security issues.

i personally restrict the level 2 usage to wan ip sharing between datacenters, a single routing vlan that handles all the lan to lan traffic, and a few edge cases such as deploying a new deployer on a new datacenter using existing deployers of another one. and really recommend you reconsider expanding lans past each site's firewall.
Raymond NortonWAN Admin

Author

Commented:
The Fortigate IS the firewall for each site. (Vdom) and extending vlans via a tunnel is our best approach. I will look into l2tp along with VxLAN.
stick with l2tp : this is quite trivial to setup on fortios. good luck
atlas_shudderedSr. Network Engineer

Commented:
One short note, in case I was less than transparent above.  Be careful with VXLAN and make sure you are understanding what you are getting into before you implement.  It is a very powerful technology, which looks simple on the surface but can lead to numerous headaches if you aren't going in armed.

Major caveats include:
Equipment dependent (older hardware won't support it),
Topology dependent (to a great extent anyway - you don't have to do spine and leaf I guess but your headache factor will definitely go up otherwise),
Layer 3 boundary dependent (VXLAN is all or none within layer 2 areas - transitions to traditional layer 2/non-segment requires a layer 3 boundary),

Not trying to dissuade you, it is a great technology.  Just make sure you have thought it through before you pull the trigger because it can go from butterflies and unicorn farts to the proverbial mega blender 6x10^9, quick, fast and in a hurry if your ducks aren't in a row going in.
Raymond NortonWAN Admin

Author

Commented:
Good timing. I just successfully ran my first vxlan tunnel test, on Aruba 3810s, along side standard L2 vlans and both are working as expected. I wasn't sure if it had to be one or the other but hoped they could coexist while we make the transition. Once the core switch arrives, we will test from one site before implementing on a larger scale. I am working with Aruba with each step to avoid missteps and caveats.
WAN Admin
Commented:
Possibly, I should have explained my scenario better. I received great suggestions, if our design had been firewall to firewall. However, our network is School LAN switch to a Fortigate Vdom on the far end (across the WAN). That being said, VxLAN shows great promise and I am currently implementing it in a small scale. It is proving to work as needed. Thank you for your assistance and expert opinions.
Hmm... missed the part you had a single remote fortinet. Good to see you got it working.