DescriptionVXLAN encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs).
SolutionScenario 1 : Unicast VXLAN Example 1 (Performance Test Scenario)LAN1---(dmz)FGT1(vx1)(wan1 : 1.1.1.1)----Internet----(wan2 : 2.2.2.2)(vx2)FGT2(dmz)---LAN2
FGT1 Configuration
config system vxlan // Create a VXLAN interface vx1
edit "vx1"
set interface "wan1" // Set local outgoing interface to "wan1"
set vni 1000
set remote-ip 2.2.2.2 // Set remote-ip to FGT2-wan2 IP
next
end
config system interface // Set VTEP vx1 IP
edit "vx1"
set ip 1.1.2.1 255.255.255.0
next
end
- Add firewall policies between VXLAN interface (e.g. vx1) and LAN interface (e.g. dmz)
- Add static route to VXLAN interface
FGT2 Configuration
config system vxlan // Create a VXLAN interface vx2
edit "vx2"
set interface "wan2" // Set local outgoing interface to "wan2"
set vni 1000
set remote-ip 1.1.1.1 // Set remote-ip to FGT1-wan1 IP
next
end
config system interface // Set VTEP vx2 IP
edit "vx2"
set ip 1.1.2.2 255.255.255.0
next
end
Note: Add policies and route on this site as well
Scenario 2 : Unicast VXLAN Example 2 (Layer 2 Scenario)
LAN---(dmz)FGT1(vx1)(wan1 : 1.1.1.1)----Internet----(wan2 : 2.2.2.2)(vx2)FGT2(dmz)---LAN
FGT1 Configuration
1. Configure VXLAN :
config system vxlan
edit vx1
set interface wan1
set vni 1000
set remote-ip 2.2.2.2
end
2. Bridge the traffic from incoming vlan interface and vxlan :
config system switch-interface
edit "sw1"
set member "vx1" "dmz" // Let vx1 join the switch interface sw1
set intra-switch-policy explicit // (optional) mandates firewall policy lookup for bridged traffic
next
3. If "intra-switch-policy" has been set as explicit, add the firewall policies:
From port2 to FGT1-vx1
From FGT1-vx1 to port2
4. Create a similar configuration on FGT2.
Scenario 3 : Multicast VXLAN Example
Private_Network1---(dmz)FGT1(vx1)(port1)----+----(port2)(vx2)FGT2(dmz)---Private_Network2
|
Private_Network3---(dmz)FGT3(vx3)(port3)----+----(port4)(vx4)FGT4(dmz)---Private_Network4
|
:
|
Private_NetworkA---(dmz)FGTA(vxA)(portA)----+----(portB)(vxB)FGTB(dmz)---Private_NetworkB
Multicast Group: 225.0.0.1
FGT(n) Configuration:
config system vxlan // Create a VXLAN interface vx(n)
edit "vx(n)"
set interface "port(n)" // Set local outgoing interface to "port(n)"
set vni 2000
set remote-ip 225.0.0.1 // Set remote-ip to multicast group
next
end
config system interface // Set VTEP IP
edit "vx(n)"
set ip 1.1.(n).1 255.255.255.0
next
end
- Other FGT Configurations
- Add firewall policies between VXLAN interface (e.g. vx1) and LAN interface (e.g. dmz)
- Add static route to VXLAN interface
Related links :
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-whats-new/Top-Network-vxlan.htm
