Fortinet black logo

Handbook

VXLANs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:441416
Download PDF

VXLANs

Virtual Extensible LAN (VXLAN) is a network virtualization technology that's used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, and are known as VXLAN Tunnel Endpoints (VTEPs). For more information about VXLAN, see RFC 7348.

VTEP support

FortiOS supports native VXLAN. You can configure VXLANs in the FortiGate CLI.

config system vxlan

edit <vxlan1> //VXLAN device name (Unique name in system.interface)

set interface //Local outgoing interface

set vni //VXLAN network ID

set ip-version //IP version to use for VXLAN device

set dstport //VXLAN destination port, default is 4789

set multicast-ttl //VXLAN multicast TTL

set remote-ip //Remote IP address of VXLAN

next

end

This creates a VXLAN interface:

show system interface vxlan1

config system interface

edit "vxlan1"

set vdom "root"

set type vxlan

set snmp-index 36

set macaddr 8a:ee:1d:5d:ae:53

set interface "port9"

next

end

To verify the new VXLAN interface, go to Network > Interfaces in the FortiGate GUI.

To diagnose the VXLAN configuration, use the following command in the FortiGate CLI:

diagnose sys vxlan fdb list vxlan1

This command provides information about the VXLAN forwarding database (fdb) that's associated with the vxlan1 interface. The following is a sample output:

-----------mac=00:00:00:00:00:00 state=0x0082 flags=0x00-----------

-----------remote_ip=2.2.2.2 remote_port=4789-----------

-----------remote_vni=1 remote_ifindex=19-----------

total fdb num: 1

VXLAN support for multiple remote IP addresses

VXLAN is supported for multiple remote IP addresses, which can be IPv4 unicast, IPv6 unicast, IPv4 multicast, or IPv6 multicast. This is useful in datacenter scenarios where you can configure the FortiGate with multiple tunnels to computer nodes.

CLI changes

set ip-version option can be set to the following:

ipv4-unicast //Use IPv4 unicast addressing for VXLAN.

ipv6-unicast //Use IPv6 unicast addressing for VXLAN.

ipv4-multicast //Use IPv4 multicast addressing for VXLAN.

ipv6-multicast //Use IPv6 multicast addressing for VXLAN.

When ip-version is set to ipv4-multicast or ipv6-multicast, the ttl option is replaced by multicast-ttl.

VXLANs

Virtual Extensible LAN (VXLAN) is a network virtualization technology that's used in large cloud computing deployments. It encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, and are known as VXLAN Tunnel Endpoints (VTEPs). For more information about VXLAN, see RFC 7348.

VTEP support

FortiOS supports native VXLAN. You can configure VXLANs in the FortiGate CLI.

config system vxlan

edit <vxlan1> //VXLAN device name (Unique name in system.interface)

set interface //Local outgoing interface

set vni //VXLAN network ID

set ip-version //IP version to use for VXLAN device

set dstport //VXLAN destination port, default is 4789

set multicast-ttl //VXLAN multicast TTL

set remote-ip //Remote IP address of VXLAN

next

end

This creates a VXLAN interface:

show system interface vxlan1

config system interface

edit "vxlan1"

set vdom "root"

set type vxlan

set snmp-index 36

set macaddr 8a:ee:1d:5d:ae:53

set interface "port9"

next

end

To verify the new VXLAN interface, go to Network > Interfaces in the FortiGate GUI.

To diagnose the VXLAN configuration, use the following command in the FortiGate CLI:

diagnose sys vxlan fdb list vxlan1

This command provides information about the VXLAN forwarding database (fdb) that's associated with the vxlan1 interface. The following is a sample output:

-----------mac=00:00:00:00:00:00 state=0x0082 flags=0x00-----------

-----------remote_ip=2.2.2.2 remote_port=4789-----------

-----------remote_vni=1 remote_ifindex=19-----------

total fdb num: 1

VXLAN support for multiple remote IP addresses

VXLAN is supported for multiple remote IP addresses, which can be IPv4 unicast, IPv6 unicast, IPv4 multicast, or IPv6 multicast. This is useful in datacenter scenarios where you can configure the FortiGate with multiple tunnels to computer nodes.

CLI changes

set ip-version option can be set to the following:

ipv4-unicast //Use IPv4 unicast addressing for VXLAN.

ipv6-unicast //Use IPv6 unicast addressing for VXLAN.

ipv4-multicast //Use IPv4 multicast addressing for VXLAN.

ipv6-multicast //Use IPv6 multicast addressing for VXLAN.

When ip-version is set to ipv4-multicast or ipv6-multicast, the ttl option is replaced by multicast-ttl.