Routing Site to Site Traffic through Tagged EVC?
Greetings,
I'm racking my brain over something regarding a multipoint connection between our three facilities.
We recently got fiber into all 3 of them, and they offer site to site connectivity through the use of EVCs, from the sounds of it: we peel off some of our bandwidth and give it a VLAN tag (for this case, i'll just use 600 to refer to it) and we can use it as a point to point or multipoint connection. Cool.
My question is how would I go integrating such a thing into Watchguard, usually this seems like something i'd do with a Cisco switch, make a tunnel or 802.1q encapsulation through the VLAN and go from there.
I need to be able to enable two of my Vlans to see through it, one for servers (so they can see eachother), and one for clients (engineering environment, allows remoting into test beds at other facilities).
Edit: all three sites have their own set of Vlans for this. With their ID's being 10X and 20X respectively. So i'd need VLANs 100, 101, and 102 to be able to see eachother through VLAN 600 and same with 200, 201, and 202
I'm not too familiar with EVCs nor am I familiar at all with Watchguard device configuration. Any input on the best practices here would be appreciated. If any further details are needed I'm happy to provide them.
That said, i'm just looking to tie my three facilities together using a single multipoint EVC, if thats even possible at all within the limitations of EVCs or Fireboxs.
Just a random tank doing networking, don't mind me
Comments
I'd suggest simply running BOVPN Virtual Interfaces over that/those connections. Personally, I would not be willing to trust an external company/telco/etc to encrypt my traffic when I can do it very easily.
VLAN tags would be added at each VPN endpoint, and workstations/servers could talk across the VPN provided firewall rules on the firebox are set to allow that.
(About BOVPN Virtual Interfaces)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_vif_about_c.html
If you'd prefer to send traffic directly over that interface without the VPN, you can set up a static route to send that traffic to the appropriate gateway.
(Add a static route)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/static_route_add.html
-James Carson
WatchGuard Customer Support
Much appreciated, and a good point.
I'll give this a spin.
Just a random tank doing networking, don't mind me