FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarushka
Staff
Staff
Article Id 198763
Description
This article explains how to configure native VXLAN without encryption.

Solution
FortiGate A

Configure vxlan. It is necessary to specify WAN interface, VNI and WAN IP address of the remote site.
#config system vxlan
    edit "name_1"
        set interface "port1"
        set vni 100
        set remote-ip "10.5.25.81"
    next
end
It is necessary to configure softswitch and put LAN and VXLAN interfaces as members.
#config system switch-interface
    edit "name_2"
        set vdom "root"
        set member "name_1" "port2"
    next
end
Note: VXLAN interface below will be created automatically

    #edit "name_1"
        set vdom "root"
        set type vxlan
        set snmp-index 12
        set interface "port1"
    next
FortiGate B

Configure vxlan. It is necessary to specify WAN interface, VNI and WAN IP address of the remote site.
#config system vxlan
    edit "name_1"
        set interface "port1"
        set vni 100
        set remote-ip "10.5.21.41"
    next
end
It is necessary to configure softswitch and put LAN and VXLAN interfaces as members.
#config system switch-interface
    edit "name_2"
        set vdom "root"
        set member "name_1" "port2"
    next
end
Note: VXLAN interface below will be created automatically.
    #edit "name_1"
        set vdom "root"
        set type vxlan
        set snmp-index 12
        set interface "port1"
    next
Verify connectivity using sniffer:
FortiGate A # diagnose sniffer packet any 'icmp and host 10.0.0.1 and host 10.0.0.2' 4 0 a
interfaces=[any]
filters=[icmp and host 10.0.0.1 and host 10.0.0.2]
2019-10-01 12:31:33.914921 port2 in 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.914935 name_1 out 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.917174 name_1 in 10.0.0.2 -> 10.0.0.1: icmp: echo reply
2019-10-01 12:31:33.917178 port2 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply

FortiGate B # diagnose sniffer packet any 'icmp and host 10.0.0.1 and host 10.0.0.2' 4 0 a
interfaces=[any]
filters=[icmp and host 10.0.0.1 and host 10.0.0.2]
2019-10-01 12:31:33.862877 name_1 in 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.862896 port2 out 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.864564 port2 in 10.0.0.2 -> 10.0.0.1: icmp: echo reply
2019-10-01 12:31:33.864579 name_1 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply
Note: Traffic traversing softswitch cannot be offloaded to network processor. Therefore, higher CPU usage might be expected.
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/acceleratio... (“Software switch interfaces and NP processors” section)


Contributors