Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 6.2.5 CLI Reference
    6.2.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system overlay-tunnel

    config system overlay-tunnel

    Use this command to configure an overlay tunnel.

    FortiADC support two types of overlay protocols—VXLAN and NVGRE.

    • Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud-computing deployments. It encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels are known as VXLAN tunnel endpoints (VTEPs), and can be virtual or physical switch ports. For more information, see RFC 7348.
    • Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud-computing deployments. It uses Generic Routing Encapsulation (GRE) to tunnel Layer-2 packets over Layer-3 networks.

    Before you begin, make sure that you have read-write permission to configure system settings.

    Syntax

    config system vxlan

    edit <name> <string>

    set type {vxlan|nvgre}

    set interface <datasource>

    set vni <integer>

    set vsid <integer

    set ip-version {ipv4-unicast|ipv4-multicast}

    set dstport <integer>

    set multicast-ttl <integer>

    set destination-ip-addresses <class_ip>

    config remote-host

    edit <No.>

    set host-mac-address <xx:xx:xx:xx:xx:xx>

    set vtep <class_ip>

    next

    end

    next

    end

    type

    Select a virtual overlay networking protocol:

    • VXLAN (default)
    • NVGRE
    interface

    The outing interface for VXLAN encapsulated traffic.
    dstport

    The VXLAN destination port (number). The default is 4789. The valid range is 1–6553.

    vni

    The VXLAN network ID. The valid range is 1–16777215.
    vsid

    The NVGRE ID. The valid range is 1–16777215.
    ip-version

    The IP version to use for the VXLAN interface and for communication over VXLAN.

    • ipv4-unicast—Use IPv4 unicast addressing over VXLAN or NVGRE.
    • ipv4-multicast—Use IPv4 multicast addressing over VXLAN.
    destination-ip-address

    Specify the destination IP address.

    Note: For IPv4 unicast, specify an IPv4 address of the VXLAN interface on the device at the remote end of the VXLAN. You can set multiple VTEP IP addresses, splitting with space char; for IPv4 multicast, specify one multicast IP address only.
    multicast-ttl

    The option applies to IPv4 multicast IP type only.

    Specify the multicast TTL. Valid values are from 0 (default) to 255.
    remote-host Add static MAC_to_VTEP to VXLAN mapping table.
    host-mac-address Set the remote host MAC address. The format is xx:xx:xx:xx:xx:xx
    vtep Set the remote VTEP IP address.

    Example

    The following commands create a VXLAN interface with two VTEP peers:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface port2

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vni 1122

    config remote-host

    end

    next

    The following commands create a VXLAN interface with a multicast IP:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface vlan249

    set ip-version ipv4-multicast

    set destination-ip-addresses 239.1.1.1

    set dstport 4789

    set vni 1122

    config remote-host

    edit 1

    set host-mac-address 22:22:22:22:22:22

    set vtep 3.2.2.2

    end

    next

    The following commands create an NVGRE interface with two remote gateway IPs:

    config system overlay-tunnel

    edit "nvgre1"

    set type nvgre

    set interface vlan249

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vsid 1122

    config remote-host

    end

    next

    After creating a VXLAN/NVGRE tunnel, the system will create one interface automatically accordingly.

    To diagnose your VXLAN configuration, use the following command:

    diagnose sys vxlan fdb list vxlan1

    (M) FortiADC-VM# diagnose system vxlan-fdb vxlan1

    ff:ff:ff:ff:ff:ff dst 10.249.100.31 via vlan249 self permanent

    ff:ff:ff:ff:ff:ff dst 10.249.100.38 via vlan249 self permanent

    22:22:22:22:22:22 dst 3.2.2.2 via vlan249 self permanent

    Previous
    Next

    config system overlay-tunnel

    config system overlay-tunnel

    Use this command to configure an overlay tunnel.

    FortiADC support two types of overlay protocols—VXLAN and NVGRE.

    • Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud-computing deployments. It encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels are known as VXLAN tunnel endpoints (VTEPs), and can be virtual or physical switch ports. For more information, see RFC 7348.
    • Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud-computing deployments. It uses Generic Routing Encapsulation (GRE) to tunnel Layer-2 packets over Layer-3 networks.

    Before you begin, make sure that you have read-write permission to configure system settings.

    Syntax

    config system vxlan

    edit <name> <string>

    set type {vxlan|nvgre}

    set interface <datasource>

    set vni <integer>

    set vsid <integer

    set ip-version {ipv4-unicast|ipv4-multicast}

    set dstport <integer>

    set multicast-ttl <integer>

    set destination-ip-addresses <class_ip>

    config remote-host

    edit <No.>

    set host-mac-address <xx:xx:xx:xx:xx:xx>

    set vtep <class_ip>

    next

    end

    next

    end

    type

    Select a virtual overlay networking protocol:

    • VXLAN (default)
    • NVGRE
    interface

    The outing interface for VXLAN encapsulated traffic.
    dstport

    The VXLAN destination port (number). The default is 4789. The valid range is 1–6553.

    vni

    The VXLAN network ID. The valid range is 1–16777215.
    vsid

    The NVGRE ID. The valid range is 1–16777215.
    ip-version

    The IP version to use for the VXLAN interface and for communication over VXLAN.

    • ipv4-unicast—Use IPv4 unicast addressing over VXLAN or NVGRE.
    • ipv4-multicast—Use IPv4 multicast addressing over VXLAN.
    destination-ip-address

    Specify the destination IP address.

    Note: For IPv4 unicast, specify an IPv4 address of the VXLAN interface on the device at the remote end of the VXLAN. You can set multiple VTEP IP addresses, splitting with space char; for IPv4 multicast, specify one multicast IP address only.
    multicast-ttl

    The option applies to IPv4 multicast IP type only.

    Specify the multicast TTL. Valid values are from 0 (default) to 255.
    remote-host Add static MAC_to_VTEP to VXLAN mapping table.
    host-mac-address Set the remote host MAC address. The format is xx:xx:xx:xx:xx:xx
    vtep Set the remote VTEP IP address.

    Example

    The following commands create a VXLAN interface with two VTEP peers:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface port2

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vni 1122

    config remote-host

    end

    next

    The following commands create a VXLAN interface with a multicast IP:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface vlan249

    set ip-version ipv4-multicast

    set destination-ip-addresses 239.1.1.1

    set dstport 4789

    set vni 1122

    config remote-host

    edit 1

    set host-mac-address 22:22:22:22:22:22

    set vtep 3.2.2.2

    end

    next

    The following commands create an NVGRE interface with two remote gateway IPs:

    config system overlay-tunnel

    edit "nvgre1"

    set type nvgre

    set interface vlan249

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vsid 1122

    config remote-host

    end

    next

    After creating a VXLAN/NVGRE tunnel, the system will create one interface automatically accordingly.

    To diagnose your VXLAN configuration, use the following command:

    diagnose sys vxlan fdb list vxlan1

    (M) FortiADC-VM# diagnose system vxlan-fdb vxlan1

    ff:ff:ff:ff:ff:ff dst 10.249.100.31 via vlan249 self permanent

    ff:ff:ff:ff:ff:ff dst 10.249.100.38 via vlan249 self permanent

    22:22:22:22:22:22 dst 3.2.2.2 via vlan249 self permanent

    Previous
    Next