Cisco ASA (Pre X series) are still extremely common.
This entry describes a redundant VPN setup of two ISPs on the Branch firewall (Cisco 5505), and one ISP on the Datacenter/hub side (Cisco ASA 5510).
The Branch office has a cable connection as their primary ISP and a backup 4G Cradle Point. We will be using SLAs to track the internet status of the Cable connection, and a floating static route to control backup route priority.
The idea behind the branch office is that two different Crypto Maps exist, one mapped to each of the interfaces. If the SLA fails and brings down the primary internet the traffic starts going out of the backup connection which has a backup Crypto map applied. When the primary interface comes back up, then traffic will start going over the crypto map applied to it. Therefore we do not have flip/flop VPNs and it solves the issue of having one crypto map applied to two different interface.
VXLAN is a Layer2 overlay scheme over a Layer 3 network. VXLAN uses MAC Address-in-User Datagram Protocol (MAC-in-UDP) encapsulation to provide a means to extend Layer 2 segments across a layer3 segment. This basically means the layer2 packet gets a VXLAN header applied, then that frame gets encapsulated into a UDP IP packet and sent over to the layer3 network.
In later FortiOS 5.4 firmwares VXLAN (Virtual Extensible LAN) encapsulation was added. This is a great technology that can help connect to sites at layer2 over layer3. Something to take note of – as of FortiOS 5.6.2 – lots of improvements and enhancements to VXLAN encapsulation have been made. For example, vlan trunking works well now. Mutlicast also will traverse the VXLAN!
So far I have set this up for two different clients. Both were situations where we had to have layer 2 stretched for a certain purpose. in the last case it was to two different data centers. Below is the scenario and config of the Fortigates as well as show ARP/MAC from the Cisco switch. Fortinet has some great documentation as well on this feature (Links below).
Below shows our simple layout. The red line indicates the VXLAN encapsulation path. Encapsulation only happens at Fortigate firewalls.
Here is a check lists of things that are needed:
Create VXLAN VPN
Local encap-local-gw4 is the public address on the local FW
encap-remote-gw4 is the peer address of the other side
remote-gw is the peer address of the other side
Then create a new Switch interface
Add both the local network, and VXLAN-VPN interface to this switch
Create firewall policies allow traffic
Thoughts and observations:
Lowering the MTU of the VXLAN/internal interface might be a good idea. The VXLAN encapsulation adds around 50-bytes. Most Cisco documentation will mention increasing the MTU, but since we are going over the net with this, increasing MTU means lots of fragmentation.
No IP address on the Switch interface is needed. Actually I have seen small issues when putting an IP address on the interface.
In CLI use the commands below to help get broadcasts (be careful) and ARP to go across.
config sys int
set l2forward enable
set broadcast-foward enable
In 5.6.2 VLANs tags will pass through the tunnel
SIDE 1 (60D)
config vpn ipsec phase1-interface edit “VXLAN” set interface “wan2” set peertype any set proposal aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 126.96.36.199 set encap-remote-gw4 188.8.131.52 set remote-gw 184.108.40.206 set psksecret password next end config vpn ipsec phase2-interface edit “VXLAN_ph2” set phase1name “VXLAN” set proposal aes256-sha1 next
config system switch-interface edit “VXLAN-SWITCH” set vdom “root” set member “internal1” “internal2” “VXLAN” next end
Lets look at the Switch in the gui
Then lets check out the Firewall Policies
SIDE 2 (60E)
config vpn ipsec phase1-interface edit “VXLAN” set interface “wan1” set peertype any set proposal aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 220.127.116.11 set encap-remote-gw4 18.104.22.168 set remote-gw 22.214.171.124 set psksecret password next end config vpn ipsec phase2-interface edit “VXLAN_ph2” set phase1name “VXLAN” set proposal aes256-sha1 next end
Lets look at the Switch in the Gui
Next lets check out the Firewall Policies
First make sure the VPN is up and working. Then a simple ping test between two devices on the same subnet will be enough to make sure things are working. TCP is always the best way to test . You can also check and make sure that the ARP/MAC address tables on each side show something on the remote side. For example the below shows the ARP/MAC of the Cisco 3650 switch at the Datacenter side (60D).
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.19.21 0 000c.291c.b2a5 ARPA Vlan1
Internet 192.168.19.51 0 000c.2918.b8be ARPA Vlan1 –19.51 lives behind the 60E
Datacenter-Stack#show mac address-table Mac Address Table ——————————————-
Vlan Mac Address Type Ports —- ———– ——– —– 1 000c.2918.b8be DYNAMIC Gi1/0/1 —Fortinet 60D is connected to gig 1/0/1
Thats it! VXLAN is an open source protocol that is a great datacenter technology. Fortinet makes it very easy to get this up and going within a few minutes. EB