Ethernet over VPN Bonding (LACP)

In our previous topics, we discussed ‘Ethernet over VPN’, which extends layer 2 networks across any layer 3 WAN; and we also shared the ‘3 major methods for the bonding VPN tunnel’, so that we can aggregate multiple WAN links for VPN connections while maintaining auto-failover between links.

In this VPN Bonding (LACP), we will combine both technologies, to fully utilize the best of both worlds – bond multiple WAN links (particularly dual LTE sim) and extend layer 2 (LAN) networks across layer 3 WAN (eg. mobile network).

Below senario shows a typical remote site with dual SIM/LTE connections, and on the HQ site we have a CMG gateway.

  1. Run a VPN tunnel across each LTE connection, eg. dual tunnels for dual SIM
  2. Bond (aggregate) bandwidth of both LTE/tunnel using LACP, Refer to Bonding interface overview and Bonding interface configuration. LACP Bonding technology will take care of load balancing and failover between two tunnels (two LTE connections).
  3. Bridge bonding interface to LAN interface at both CMG and HSA/UA, Refer to Bridge interface Overview and Bridge interface configuration (more on interface bridging), so extend remote LAN to HQ LAN across the dual tunnels.

A few things to take note:

1. On both CMG and HSA, tunnel must use tap mode (layer 2 tunnel).

2. On HSA/UA, we use PBR to map each tunnel (which uses different port no.) to respective LTE/SIM connection, so that we can be absolutely sure the tunnels are going through its intended LTE connection.

3. Bonding is point-to-point, so each remote HSA must terminate both tunnels on the same CMG (with different port no. for each tunnel instance), then we bond both tunnels (at both HSA and CMG) into a logical bonding interface. Therefore each remote HSA also requires a dedicated bonding interface on CMG, for a dedicated pair of tap tunnels.

4. In summary, each peer (CMG-HSA) requires a dedicated set of resources: one bond interface, two tap interface (on CMG it means two instances of SSLVPN services), one bridge interface.

5. If there’re multiple remote sites (multiple HSA), then on CMG we need multiple dedicated sets of resources (as in #4).