The ability to create up to 5 SpeedFusion tunnels between the same 2 sites has been around since the introduction of firmware 7.0 .
But it wasn’t possible to create a combination of Layer 2 and Layer 3 tunnels until now.
From firmware 8.0 and up you can select one sub-tunnel to bridge to a tagged VLAN (Layer 2), and other sub-tunnels can still work in Layer 3 mode.
These connections work independently giving you the power of Layer 2 bridging and Layer 3 routing at the same time!
I tried creating a L2-L3 tunnel between a balance and BR1 M2M as well as Transit but the point #5 of Setting up a Layer 2 PepVPN Profile in Firmware 6.2 Onwards is a problem. The list is empty. On the Balance, no issue I can see my two sub tunnels in the list. On the other devices, I don’t see any subtunnel in the list.
In full Layer3 with no layer2 defined on balance, all subtunnels come up. So this configuration seems to be fine.
Transit is in 8.0.0 build 4192
BR1 is in 8.0.0 build 3440
The layer 2 bridging sub-tunnel only able to bridge to single VLAN not the untagged VLAN. You should able to find the sub-tunnel list in the VLAN bridging settings:
are you planning to support outbound policy for the PepVPN when the tunnel is a combination of Layer 2 and Layer 3 sub-tunnels?
Currently, we can either set sub-tunnels in L2 mode or create outbound policy rules for the sub-tunnels. I’d like to use both of these functions.
This can be useful when we have 3 or more different sub-profiles:
L2 for AP controller
L3 for data
L3 for audio with WAN Smoothing enabled
I would use outbound policy with DPI to steer voice traffic to the dedicated sub-tunnel. The rest of the traffic would go through standard L3 tunnel and AP Management through L2 profile.
@JakubN, you should able to enforce the traffic to specific layer 3 sub-tunnel using outbound policy even layer 2 and layer 3 sub-tunnels are running at the same time.
May I know the layer 3 sub-tunnel does not appear in the outbound policy drop-down list after layer 2 and layer 3 sub-tunnels are configured? Possible to provide the screenshot of your settings?
@JakubN, I am seeing some differences from my MFA500. I am using 8.1.0b02. Can you share which model and firmware version you used? Let me show you my settings.
The 3rd (Video) sub-tunnel appears when I enable Layer 2 SpeedFusion in VLAN 53. Please take note, we can’t enable in the 1st (Data) sub-tunnel as it used for route exchange for Layer 3 SpeedFusion.
Enable Layer 2 SpeedFusion then configure outbound policy
3 sub-tunnels appear when I enable Layer 2 SpeedFusion in VLAN 53. Please take note, we can’t enable in the 1st (Data) sub-tunnel as it used for route exchange for Layer 3 SpeedFusion. So, I choose the 3rd (Video) sub-tunnel.
the screens I shared come from MBX with fw: 8.0.2 build 1409
I tried these settings again on a UBR Rugged with 8.0.2s013 build 4417 and it works just like on your device. It must be a firmware thing.
@JakubN, my MBX, firmware 8.0.2 is having the same behavior with MFA500. So, it is working fine. I suggest opening a ticket for me to take a closer look.
as we’ve tested with 8.1.0 it is a must, to create the L3 Tunnel as first Sub-Tunnel. If the L2 is the first, every routing information for the L3 will be routed through the L2 and can’t connect.
This is important for everyone with the same issue
Question:
Is it possible to bring the Management-LAN-Interface of e.g. a SDX in a VLAN (for L2 Tunnel)? If yes, how to do it?
@dennis.hofheinz, you are correct. The default sub-tunnel (first sub-tunnel) will be used for route exchange between central and remote sites if you configure layer 2 + layer 3.
The management port is for device management purposes. Hence, you can’t make use of it in the layer 2 SpeedFusion tunnel.
