Dear all, I would like to request assistance with a project scenario, as described below:
We have a client with a need to connect several remote branches to the company's main office with link redundancy. They already have a LAN-to-LAN structure in production, fiber links that extend from the main office to these branches, providing local and internet connectivity.
Additional internet links will be added to these branches, mostly 4G links (dynamic IP). SMB appliances (1500 Spark) will be installed, and the management of these appliances will be the same as the Main Office Cluster, as shown in the topology image. This means both the Main Office cluster and the branches will be in the same SMS.
To ensure that internal resources of the Main Office remain available to the branches in case the LAN-to-LAN link goes down, it is necessary to establish a VPN tunnel through the secondary link (4G).
However, here is the challenge: if we have the Main Office cluster and the Spark from a branch in the same SMS, when we create the Star Community and add the participating gateways, any traffic coming from Spark is expected by the Cluster to be within the Community.
How could I separate this traffic both in Spark and the Cluster? In a way that, while the primary link (LAN-to-LAN) is up, all traffic goes through it, outside the VPN tunnel. When this traffic reaches the Cluster outside the tunnel, it should be accepted and routed normally. And when the primary link (LAN-to-LAN) goes down, the VPN tunnel with the secondary link (4G dynamic IP) should be established and continue to provide connectivity to the internal resources of the Main Office.
We tried to establish the VPN tunnel through the LAN-to-LAN link, believing that when this link became unavailable, the secondary link would establish the tunnel normally. However, the tunnel is not established by the secondary link; according to logs and debugs, apparently, phase 1 is completed, but for some reason, phase 2 never starts.
I have attached the topology image of the project described above. If the tests are successful, approximately 400 Spark appliances will be installed as part of this topology.
I appreciate you for helping me overcome this challenge.
Thank you in advance for your attention.
Topology:
Hello @PhoneBoy , thanks for the advice!
From what I've seen, MEP is used when there are at least 2 central gateways in a community, but that's not my case. I have only one cluster, which is the central gateway, and the Spark will be the satellite gateway.
The issue is that the Spark will have 2 internet links, and I need the tunnel to be established by both links. If the primary link fails, the secondary one should establish the tunnel.
Regarding Wire Mode, I can configure it in the community and the cluster object, but in the Spark object, the option is blocked. Does Spark not support Wire Mode when management is centralized?
Below are the images:
MEP
Wire Mode Spark
Wire Mode Cluster
@Bernardes wrote:Dear all, I would like to request assistance with a project scenario, as described below:
We have a client with a need to connect several remote branches to the company's main office with link redundancy. They already have a LAN-to-LAN structure in production, fiber links that extend from the main office to these branches, providing local and internet connectivity.
Additional internet links will be added to these branches, mostly 4G links (dynamic IP). SMB appliances (1500 Spark) will be installed, and the management of these appliances will be the same as the Main Office Cluster, as shown in the topology image. This means both the Main Office cluster and the branches will be in the same SMS.
To ensure that internal resources of the Main Office remain available to the branches in case the LAN-to-LAN link goes down, it is necessary to establish a VPN tunnel through the secondary link (4G).
However, here is the challenge: if we have the Main Office cluster and the Spark from a branch in the same SMS, when we create the Star Community and add the participating gateways, any traffic coming from Spark is expected by the Cluster to be within the Community.
How could I separate this traffic both in Spark and the Cluster? In a way that, while the primary link (LAN-to-LAN) is up, all traffic goes through it, outside the VPN tunnel. When this traffic reaches the Cluster outside the tunnel, it should be accepted and routed normally. And when the primary link (LAN-to-LAN) goes down, the VPN tunnel with the secondary link (4G dynamic IP) should be established and continue to provide connectivity to the internal resources of the Main Office. Skyward FBISD
We tried to establish the VPN tunnel through the LAN-to-LAN link, believing that when this link became unavailable, the secondary link would establish the tunnel normally. However, the tunnel is not established by the secondary link; according to logs and debugs, apparently, phase 1 is completed, but for some reason, phase 2 never starts.
I have attached the topology image of the project described above. If the tests are successful, approximately 400 Spark appliances will be installed as part of this topology.
I appreciate you for helping me overcome this challenge.
Thank you in advance for your attention.
Topology:
Based on the information you provided, it seems that you need to separate the traffic both in Spark and the Cluster. While the primary link (LAN-to-LAN) is up, all traffic should go through it, outside the VPN tunnel. When this traffic reaches the Cluster outside the tunnel, it should be accepted and routed normally. And when the primary link (LAN-to-LAN) goes down, the VPN tunnel with the secondary link (4G dynamic IP) should be established and continue to provide connectivity to the internal resources of the Main Office.
To achieve this, you can use the VPN Link Selection feature. This feature allows you to specify the order in which VPN tunnels are used for traffic. You can configure the VPN Link Selection to use the LAN-to-LAN link as the primary link and the 4G link as the secondary link. When the LAN-to-LAN link is up, all traffic will go through it, outside the VPN tunnel. When the LAN-to-LAN link goes down, the VPN tunnel with the 4G link will be established and continue to provide connectivity to the internal resources of the Main Office.
To configure the VPN Link Selection, you need to create two VPN communities: one for the LAN-to-LAN link and one for the 4G link. You can then configure the VPN Link Selection to use the LAN-to-LAN community as the primary link and the 4G community as the secondary link. You can also configure the VPN Link Selection to use the LAN-to-LAN link as the backup link for the 4G link.
| User | Count |
|---|---|
| 23 | |
| 17 | |
| 16 | |
| 13 | |
| 8 | |
| 8 | |
| 7 | |
| 5 | |
| 5 | |
| 5 |
Tue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 12 Nov 2024 @ 11:00 AM (EST)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (AMERICAS)Tue 12 Nov 2024 @ 02:00 PM (EST)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - AmericasWed 20 Nov 2024 @ 05:00 PM (CET)
Under the Hood: DO NOT Renew your WAF without watching THIS!!Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaSThu 21 Nov 2024 @ 02:00 PM (MST)
Denver North: Infinity External Risk Management and Harmony SaaSTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management Workshop
