Description
This article describes how to configure VXLAN with virtual wire pair.
Solution
Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud computing deployments.
It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789.
A virtual wire pair consists of two interfaces that do not have IP addresses and are treated like a transparent mode VDOM.
All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic.
Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.
In this example, there is a site-to-site VPN tunnel formed between two FortiGates.
Multiple VLANs (same at both locations) are configured.
VXLAN connects locations at Layer2 over Layer3.
1) WAN Configuration.
As can be seen in diagram, both FortiGates have a single WAN connection namely wan1.
| FortiGate 1 |
FortiGate 2 |
# config system interface
edit "wan1"
set vdom "root"
set ip 11.11.11.11 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set role wan
set snmp-index 1
next
end
|
# config system interface
edit "wan1"
set vdom "root"
set ip 22.22.22.22 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set role wan
set snmp-index 1
next
end
|
2) Static Route.
# config router static
edit 1
set gateway 11.11.11.1
set device "wan1"
next
end
|
# config router static
edit 1
set gateway 22.22.22.2
set device "wan1"
next
end
|
A single static route is configured to send all the traffic outside via WAN interface.
3) IPSec VPN Configuration.
To establish an IPSec VPN tunnel between two FortiGates, the following parameters will be configured.
# config vpn ipsec phase1-interface
edit "ipsec"
set interface "wan1"
set peertype any
set proposal aes256-sha1
set remote-gw 22.22.22.22
set psksecret <key>
next
end
# config vpn ipsec phase2-interface
edit "ipsec"
set phase1name "ipsec"
set proposal aes256-sha1
set auto-negotiate enable
next
end
# config system interface
edit "ipsec"
set ip 10.200.0.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.200.0.2 255.255.255.252
next
end
|
# config vpn ipsec phase1-interface
edit "ipsec"
set interface "wan1"
set peertype any
set proposal aes256-sha1
set remote-gw 11.11.11.11
set psksecret <key>
next
end
# config vpn ipsec phase2-interface
edit "ipsec"
set phase1name "ipsec"
set proposal aes256-sha1
set auto-negotiate enable
next
end
# config system interface
edit "ipsec"
set ip 10.200.0.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.200.0.1 255.255.255.252
next
end
|
The above configuration will form an IPSec tunnel between two FortiGates.
An IPSec VPN tunnel interface is also configured automatically.
4) VXLAN Interface.
A VXLAN interface is configured which is bound to the IPSec interface.
The remote-IP configured under system.vxlan is the peer side WAN IP address.
# config system vxlan
edit "vxlan"
set interface "ipsec"
set vni 10
set remote-ip "10.200.0.2"
next
end
|
# config system vxlan
edit "vxlan"
set interface "ipsec"
set vni 10
set remote-ip "10.200.0.1"
next
end
|
5) Virtual-Wire-Pair
A virtual wire pair is created under which LAN and VXLAN interfaces are defined as its members.
The interface members added to the virtual wire pair cannot be part of a switch, such as the default LAN/internal interface.
# config system virtual-wire-pair
edit "vwp"
set member "port1" "vxlan"
set wildcard-vlan enable
next
end
|
# config system virtual-wire-pair
edit "vwp"
set member "port1" "vxlan"
set wildcard-vlan enable
next
end
|
In this example, Host1 and Host2 are connected to VLAN10 on a switch.
By enabling wildcard VLANs on a virtual wire pair, all VLAN-tagged traffic passes through the virtual wire pair which should be allowed by virtual wire pair firewall policies.
6) Firewall Policy.
Firewall policy is needed to allow traffic between the LAN and VXLAN interfaces.
Note that the 'IPv4 virtual wire pair policy' menu item in the GUI appears when a virtual wire pair is created.
# config firewall policy
edit 4
set name "vwp-pol"
set srcintf "port1" "vxlan"
set dstintf "port1" "vxlan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
end
|
# config firewall policy
edit 4
set name "vwp-pol"
set srcintf "port1" "vxlan"
set dstintf "port1" "vxlan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
end
|
7) Testing.
When Host1 (VLAN10: 192.168.10.1/24) which is connected on Switch1 tries to reach Host2 (VLAN10: 192.168.10.2/24) connected to Switch2, the following behavior will be observed.
C:\Users\Host1>ping 192.168.10.2
Pinging 192.168.10.2 with 32 bytes of data:
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=8ms TTL=56
Reply from 192.168.10.2: bytes=32 time=11ms TTL=56
Ping statistics for 192.168.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 11ms, Average = 8ms
