Hello Extreme Community,
I am new to the Fabric Connect architecture/paradigm and I’m currently learning it by building an extensive lab with licensed physical equipment in a physical data center.
I’m in need of a little configuration guidance with regard to Fabric Extend and the extension of the SPBM fabric across L3 networks.
I am able to create an FE tunnel over an IP-VPN WAN between a VSP4900 at a Main site and a remote XA1440 appliance at a branch site.
I am also able to create an FE tunnel with IPSec over the Internet between an XA1440 at the Main site and the same remote XA1440 appliance.
What I can’t figure out is how to configure both at the same time - I am limited by only being able to configure a single ISIS ip-tunnel-source-address on the VSPs.
On each side, I am using a separate VRF to isolate the interfaces which connect to the L3 transport networks, and a I’m using a brouter port for the tunnel on both sides. The red brouter ports are sitting in a DMZ on each firewall with public IP addresses.
On the diagram below, I have full IP connectivity with some static routes inside the Fabric Extend VRF. Inside the VRF I am able to ping out to the Internet and at the same time I can ping across the WAN to the main site.
I can build an ISIS adjacency between the purple dots, and then when I change the ip-tunnel-source-address to the public IP I can get and ISIS adjacency between the red dots.
Remote XA:
***************
#
# ISIS CONFIGURATION
#
router isis
sys-name "Remote_XA"
ip-source-address 10.0.0.11
ip-tunnel-source-address 10.13.10.26 vrf fab_extend
is-type l1
system-id 0050.0000.aaaa
manual-area 10.01
exit
router isis enable
#
# LOGICAL ISIS CONFIGURATION
#
logical-intf isis 1 dest-ip 10.10.10.2 mtu 1950 name "Tunnel_to_LAK"
isis
isis spbm 1
isis enable
exit
logical-intf isis 2 dest-ip 168.168.210.250 mtu 1950 name "Tunnel_to_LAK_ipsec"
isis
isis spbm 1
isis enable
exit
#
# PORT CONFIGURATION - PHASE II
#
interface GigabitEthernet 1/1
name "L3 link to WAN cloud"
no shutdown
vrf fab_extend
brouter port 1/1 vlan 802 subnet 10.13.10.26/255.255.255.248 mac-offset 0
no spanning-tree mstp force-port-state enable
exit
interface GigabitEthernet 1/2
name "L3 link to the Internet"
no shutdown
vrf fab_extend
brouter port 1/2 vlan 803 subnet 167.167.208.4/255.255.255.0 mac-offset 1
no spanning-tree mstp force-port-state enable
exit
Remote_XA:1#show isis interface
========================================================================================================================
ISIS Interfaces
========================================================================================================================
IFIDX TYPE LEVEL OP-STATE ADM-STATE ADJ UP-ADJ SPBM-L1-METRIC OP-SPBM-L1-METRIC ORIGIN
------------------------------------------------------------------------------------------------------------------------
Tunnel_to_LAK pt-pt Level 1 UP UP 1 1 20000 20000 CONFIG
Tunnel_to_LAK_i~ pt-pt Level 1 UP UP 0 0 20000 20000 CONFIG
--------------------------------------------------------------------------------
2 out of 2 Total Num of ISIS interfaces
--------------------------------------------------------------------------------
Remote_XA:1#show isis adjacencies
====================================================================================================
ISIS Adjacencies
====================================================================================================
INTERFACE L STATE UPTIME PRI HOLDTIME SYSID HOST-NAME
----------------------------------------------------------------------------------------------------
Tunnel_to_LAK 1 UP 04:50:35 127 22 0048.0000.00c1 FC_LAK_Core1
--------------------------------------------------------------------------------
1 out of 1 interfaces have formed an adjacency
--------------------------------------------------------------------------------
How can I have 2 permanent ISIS adjacencies to the Campus Fabric Connect environment across the two circuits?
Should I not use public IP addresses on the IPSec tunnel endpoints and instead use the same tunnel source address as the VXLAN tunnel but NAT it at the firewalls?
Also, documentation mentions that the XA1400 appliances are hardened - do you know any details on that? What is mean by “hardened” in this context?
I am trying to achieve the scenario on the very left in the following screenshot:
Your thoughts are appreciated,
Thank you!
1 ACCEPTED SOLUTION
Thank you very much for your answer, Ludovico!
I have seen the concepts you are referring to in documentation, so I can understand what you are suggesting. (sorry for not mentioning anything about the code versions I use on the appliances, but I am indeed using VOSS 8.3.0.0)
If I have the necessary hardware resources at the remote branch site, then would you say that right now it is a better solution to implement the scenario shown in the middle of the screenshot below?
This way, at the remote branch I will have one VSP connected to one ISP circuit and another VSP connected to another ISP circuit, with an ISIS adjacency between the VSPs. If either of the WAN circuits was to go down, I would be relying on Fabric Connect to select the available path to the main site.
Thanks again for the valuable input!
