ExtremeSwitching (VSP)

  • 1.  FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

    Posted 7 days ago
    Hi team,

    In a L2 connection through ISP with MTU less of 1600bytes, I´m using FIGWs for fabric extend (VXLAN) and fragmentation & reassembly to establish isis adjacencies  without problem.

    Now I want to add IPSEC but I review all the topologies avalaible for IPSEC and all of them are trought L3, the question is, in a link L2 is IPSEC topology supported?

    Regards

    EF


  • 2.  RE: FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

    Posted 4 days ago
    EF,
    You should describe deeper your setup.
    The IPSec tunnel+frag/defrag can be performed at the FIGW level while the isis logical interface is done at the switch level.
    You should describe what you have today in a picture to be able to guide you.

    Mig


  • 3.  RE: FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

    Posted 4 days ago

    I´ll try better, this is my working environment (VXLAN+FRAGMENTATION) , My deploy is L2 link  with MTU less 1600 bytes between two FIGWs and it´s working fine:

     

    Now I want to add IPSEC but I'm unable to add the necessary commands because there are exclusion with this config.

     

    After my investigation I see that all topologies with IPSEC are over L3 networks,

     

     

    so I begin to suspect that it´s not supported over L2 links.

     

    It´s a question about topologies supported with FIGW and IPSEC.

     

    BR

     

    EF




  • 4.  RE: FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link
    Best Answer

    Posted 3 days ago
    EF,

    IPSEC is always over L3. MACSEC is over L2.
    Here a possible setup
    Mig


  • 5.  RE: FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

    Posted 12 hours ago
    Running IPsec tunnels over a L2 WAN (e.g. VPLS) should be possible, but i have never tried it. You would not set any wan-intf-gw-ip on the FIGW.
    The FIGW would thus ARP for the remote end-points.


  • 6.  RE: FIGW - IPSEC + VXLAN + FRAGMENTATION AND REASSEMBLY over L2 link

    Posted 12 hours ago
    Hi Ludovico,

    this is the problem, if I´m not wrong,  that "set global wan-intf-gw-ip  " is mandatory for IPSEC config, but in a l2 connection I dont have it.

    Regards

    EF