Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 4988 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Vlan Routing over UTM2UTM tunnel

ThomasRottig

Hi,

I am not sure the general forum is the most appropriate place, please move if a subforum is better. thanks.

Edit:

Ok, I believe I should simplify the question:

What is the proper way to route tagged ethernet frames over a utm2utm tunnel.

Does the vlan interface need to be created on the tunnel interface or the underlying ethernet interface?

----

I currently have 2 UTMs running, one at each location. Those are connected via UTM2UTM tunnel.

Internet access is local, only remote site traffic is routed to the other UTM via the tunnel.

Both UTMs run virtualized in ESX.

Now I want to set up VLAN routing for vSan traffic to go between the two sites.

Unfortunately I am not too well versed in VLAN setups, so I am struggling and am looking for some basic setup pointers.

I will leave out most of the ESX details as I guess thats not the point of this forum;)

Site A

3 Interfaces at the moment, LAN, WAN, Redc1 for Tunnel.

The ESX only has two nics, so I guess I need to add a vLan Interface in the UTM. Does that need to be based on the internal NIC or the redc1 Interface? Or both?

Site B

2x ESX,each has 4 NICs, of which 2 are used for Internal Network, one for WAN and one a dedicated VSAN interface.

UTM's are configured with LAN, WAN, Reds1 for Tunnel and one HA interface.

Now the dedicated vsan interface's traffic (vlan 3) should be routed to the remote network. The question again is, what is the most appropriate setup in UTM.

I can add a new interface based on the dedicated physical NIC to the UTM or I can replicate the setup from Site A and try to do this via the regular Lan interface with VLAN.

Sorry if this is a basic question, I was not able to find a good explanation on how to setup utm2utm vlan routing.

Probably not helping that the whole thing is virtualized.

I am aware that there are more points to complete before this will work (routing etc), but lets start with the basics and then I can try figuring out the rest:)

Thanks for any pointers to documentation or to a solution (or better understanding) :)



This thread was automatically locked due to age.
Parents
  • 0

    It's not clear to me why you need VLAN3 in Site A, Thomas.  Why not just add the subnet of VLAN3 to the RED tunnel?

    This story about WiFi video cameras in a motor coach might help you visualize an example of where a RED tunnel can be useful.  I also have a client that has a home in Mexico and in Oklahoma.  In order to avoid the Mexican limitations on the types of Internet traffic allowed, all web surfing from their Mexican home is routed to Oklahoma over a RED tunnel between UTMs in both locations.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    thanks for your answer.

    For 'official' deployments of VMWare VSan its recommended to have vsan traffic on a separate lan or vlan to prevent it from polluting the regular traffic (as it works with multicast between the storage nodes).

    So I originally had set it up on a vLan as well since the traffic was going over my main switch.

    Now I moved one host to the remote location and wanted to replicate the local setup -> requirement to route vlan over to the remote site.

    In the meantime I have worked around it similar to your suggestion, I have the two local nodes (directly connected) on a separate subnet so they will not pollute the main switch with the multicast traffic. The unicast traffic to the remote site is now simply routed via the regular red tunnel. This should be relatively little traffic so won't matter.

    I left the question open to get a glimpse into how it could be done if I ever really needed to route a VLAN over the tunnel, as my attempts to understand the setup (and playing around blindly) have failed and I couldn't find much documentation on it.

  • 0 in reply to ThomasRottig

    Thomas, you're describing a situation similar to the motor coach video cameras I linked to above.  I would create a new RED tunnel between the two locations and then bridge the red# NIC on each side with the VLAN3 interface in that device.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hm, can I have two red tunnels between the same two UTMs? Wouldn't have thought so:o

    But in general, whats the 'official' recommendation for routing a vlan over the red tunnel?

    Or is that not a supported functionality?

  • 0 in reply to ThomasRottig

    You can have multiple tunnels of RED just as you can with IPsec.  You just need to make sure you don't create routing problems by having a subnet in one tunnel that overlaps a subnet in another.

    The advantage of the RED tunnel over IPsec is that you have virtual NICs to work with.  That lets you create a situation where an Ethernet segment on one side can be bridged to one on the other side.  If you don't need identical subnets on both sides, no bridge is necessary.

    Another example of a sweet trick with RED tunnels is using Multipath rules to selectively send web browsing traffic out via the UTM in your office in the USA while all other traffic in your Dubai office goes out the UTM there.

    If a bridge or Multipath rules are not necessary, then I prefer a standard IPsec tunnel.  The only key thing is the subnets on each side.  Say VLAN3 is 172.17.1.0/24 in Site 1 and 172.17.2.0/24 in Site 2.  The UTMs will route the traffic from Site 1's VLAN 3 out the VLAN3 Interface in Site 2.  No need to maintain the Layer 2 tag in the tunnel.

    Cheers - Bob

Reply
  • 0 in reply to ThomasRottig

    You can have multiple tunnels of RED just as you can with IPsec.  You just need to make sure you don't create routing problems by having a subnet in one tunnel that overlaps a subnet in another.

    The advantage of the RED tunnel over IPsec is that you have virtual NICs to work with.  That lets you create a situation where an Ethernet segment on one side can be bridged to one on the other side.  If you don't need identical subnets on both sides, no bridge is necessary.

    Another example of a sweet trick with RED tunnels is using Multipath rules to selectively send web browsing traffic out via the UTM in your office in the USA while all other traffic in your Dubai office goes out the UTM there.

    If a bridge or Multipath rules are not necessary, then I prefer a standard IPsec tunnel.  The only key thing is the subnets on each side.  Say VLAN3 is 172.17.1.0/24 in Site 1 and 172.17.2.0/24 in Site 2.  The UTMs will route the traffic from Site 1's VLAN 3 out the VLAN3 Interface in Site 2.  No need to maintain the Layer 2 tag in the tunnel.

    Cheers - Bob

Children
No Data