FortiExtender LAN extension in public cloud FGT-VM 7.0.4
The FortiExtender LAN extension feature allows a FortiGate to extend its LAN functionality to a remote FortiExtender. In this enhancement, the FortiExtender LAN extension is added to the FGT-VM running on Public Clouds.
Topology in demo configuration:
GUI
The LAN-extension interface is up on the FGT-AWS.
The FGT-AWS LAN-extension interface is able to act as a DHCP server over VXLAN, and remote branch computers (In this demo, it's an FGT61F) behind the FortiExtender is able to get IP addresses from the DHCP server on the FGT-AWS LAN-extension interface.
CLI
Step 1: Configure the FortiExtender:
FX200F5919000000 # config system interface
FX200F5919000000 (interface) # edit port1
FX200F5919000000 (port1) # set mode static
FX200F5919000000 (port1) <M> # set ip 5.5.5.1/24
FX200F5919000000 (port1) <M> # set gateway 5.5.5.99
FX200F5919000000 (port1) <M> # end
FX200F5919000000 # execute ping 18.234.125.193
PING 18.234.125.193 (18.234.125.193): 56 data bytes
64 bytes from 18.234.125.193: seq=0 ttl=233 time=68.132 ms
FX200F5919000000 # config system management
FX200F5919000000 (management) # set discovery-type fortigate
Changing "discovery-type" may affect networking mode and virtual-wire-pair configuration, resulting in system reboot!
Do you want to continue? (y/n)y
FX200F5919000000 (management) <M> # config fortigate
FX200F5919000000 (fortigate) # set ac-discovery-type static
FX200F5919000000 (fortigate) <M> # config static-ac-addr
FX200F5919000000 (static-ac-addr) # edit 1
FX200F5919000000 (1) <M> # set server 18.234.125.193
FX200F5919000000 (1) <M> # next
FX200F5919000000 (static-ac-addr) # end
FX200F5919000000 (fortigate) <M> # set discovery-intf port1
FX200F5919000000 (fortigate) <M> # end
FX200F5919000000 (management) <M> # end
config system switch-interface
edit le-switch
set members le-agg-link lan
set stp disable
next
end
edit lan
set type lan-switch
set status up
set mode static
set ip
set gateway
set mtu-override enable
set mtu 1500
set distance 50
set vrrp-virtual-mac enable
config vrrp
set status disable
end
set allowaccess http https ssh ping telnet
next
config system lan-switch
config ports
edit port4
next
edit port5
next
end
end
Step 2: Configure the FGT-AWS:
FGT-AWS-EXT # show system global
config system global
set fortiextender enable
set hostname "FGT-AWS-EXT"
end
config system interface
edit "port1"
set allowaccess ping https ssh http fgfm fabric
next
end
config extender-controller extender <=======This table is automatically added after FGT detects the FEXT over "fabric" protocol on the port1
edit "FX0035919000000"
set id "FX200F5919000000"
set device-id 0
set extension-type lan-extension
set profile "FX200F-lanext-default"
next
end
config extender-controller extender-profile
edit "FX200F-lanext-default"
set id 0
set model FX200F
set extension lan-extension
config lan-extension
set ipsec-tunnel "fext-ipsec-ufLq"
set backhaul-interface "port1"
set backhaul-ip "18.234.125.193"
config backhaul
edit "1"
set port port1
set role primary
next
end
end
next
end
config extender-controller extender
edit "FX0035919000000"
set authorized enable
next
end
Step 3: IPSec is connected between FGT-AWS and FEXT automatically. No need to configure it manually. Ensure that IPSec works:
FGT-AWS-EXT # sh vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "fext-ipsec-v3JH"
set type dynamic
set interface "port1"
set ike-version 2
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "localid-760sv1bSXj2wrUASE1uwcryLKi1XEUlmh1v1FehZ2u97lqHDPUkCjFh"
set dpd on-idle
set comments "[FX200F-lanext-default] Do NOT edit. Automatically generated by extender controller."
set peerid "peerid-4GyQg3yg01w5ye7oaPQNQlQs9fM8qyXReabC3lBsOPeZGSdiqfJp8tjl"
set psksecret ENC IyjGZpuZykJBmtOL4cfEoQQ/yNM4N1kDXvB/TBq6dXlzeXymkw8cyoizM2a8SeyWao2sGnLCkqqkHItruVfy7jy10dMp6AzaFlnxP6f9k8hTEBKxqUOS3+ccvSLFWvM7ouuaWgA6Hdu4StWsBVMc85tBFe+H6PTnVpRFaRCYQE0yatuM9tcWQXCilsuv66HlAYvGlw==
set dpd-retryinterval 60
next
end
FGT-AWS-EXT # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=fext-ipsec-v3JH_0 ver=2 serial=3 10.0.1.175:4500->204.101.161.19:64916 tun_id=204.101.161.19 tun_id6=::10.0.0.3 dst_mtu=9001 dpd-link=on weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/9088 options[2380]=rgwy-chg rport-chg frag-rfc run_state=0 accept_traffic=1 overlay_id=0
parent=fext-ipsec-v3JH index=0
proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
stat: rxp=6334 txp=710 rxb=1190272 txb=62655
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=10 remote_port=64916
proxyid=fext-ipsec-v3JH proto=0 sa=1 ref=4 serial=1 add-route
src: 0:10.252.0.1-10.252.0.1:0
dst: 0:10.252.0.2-10.252.0.2:0
SA: ref=3 options=682 type=00 soft=0 mtu=8926 expire=40316/0B replaywin=2048
seqno=2c7 esn=0 replaywin_lastseq=000018be itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43189/43200
dec: spi=07c1e02b esp=aes key=16 b0e867d4cb6b4ebc6778ea7dff3819db
ah=sha1 key=20 70e681e26a5bdcaa60e16f32d714b4ee74073306
enc: spi=c6e96e0d esp=aes key=16 139e01770682b809d24702bb9c446e8f
ah=sha1 key=20 89ffb4be3b6b9db9145be6f0d37ee49d01940a2f
dec:pkts/bytes=6334/764822, enc:pkts/bytes=710/115536
------------------------------------------------------
name=fext-ipsec-v3JH ver=2 serial=1 10.0.1.175:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=1 refcnt=3 ilast=2907 olast=2907 ad=/0
stat: rxp=6336 txp=712 rxb=1190592 txb=62823
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
Step 4: Ensure that VXLAN over IPSec is set up automatically between the FGT cloud VM and the FortiExtender. No need to configure it manually.
FGT-AWS-EXT # diagnose sys vxlan fdb list FX0035919000000
mac=00:00:00:00:00:00 state=0x0082 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
mac=e8:1c:ba:c4:4e:b8 state=0x0002 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
mac=04:d5:90:7a:50:a8 state=0x0002 remote_ip=10.252.0.2 port=9999 vni=0 ifindex=9
total fdb num: 3
Step 5: Set the IP address for the FGT-AWS LAN-extension interface, and ensure that the FGT-AWS LAN-extension interface is able to act as DHCP server over VXLAN:
FGT-AWS-EXT # show system dhcp server 100
config system dhcp server
edit 100
set default-gateway 192.168.3.99
set netmask 255.255.255.0
set interface "FX0035919000000"
config ip-range
edit 1
set start-ip 192.168.3.2
set end-ip 192.168.3.98
next
end
next
end
config system interface
edit "FX0035919000000"
set vdom "root"
set ip 192.168.3.99 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type lan-extension
set role lan
set snmp-index 7
set interface "fext-ipsec-v3JH"
next
end
***** FEXT le-switch interface is able to get the ip (192.168.3.2) from FGT-AWS vxlan interface dhcp server
FX200F5919000000 # get system interface
== [ le-switch ]
name: le-switch status: online/up/link up type: switch mac: e8:1c:ba:c4:4e:b8 mode: dhcp ip: 192.168.3.2/24 mtu: 1500
gateway: 192.168.3.99
***** Remote branch PC behind FEXT lan interface is able to get the ip from FGT-AWS vxlan interface dhcp server.
In this demo, a FGT61F acts as a PC behind FEXT, this FGT61 wan1 interface is the same switch as FEXT lan interface port4.
Set FGT61 wan1 interface as dhcp client, it can get ip address (in this demo it's 192.168.3.3) from FGT-AWS lan-extension interface.
FGT61FTK19006594 # show system interface wan1
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping https ssh snmp
set type physical
set role wan
set snmp-index 1
next
endFGT61FTK19006594 # diag hardware deviceinfo nic wan1 Current_HWaddr 04:d5:90:7a:50:a8 Permanent_HWaddr 04:d5:90:7a:50:a8
Step 6: Ensure that the FGT-AWS is able to access the remote branch behind the FortiExtender via VXLAN:
FGT-AWS-EXT # exec ping 192.168.3.3 PING 192.168.3.3 (192.168.3.3): 56 data bytes 64 bytes from 192.168.3.3: icmp_seq=0 ttl=255 time=68.9 ms 64 bytes from 192.168.3.3: icmp_seq=1 ttl=255 time=68.6 ms FGT-AWS-EXT # diag ip arp list index=13 ifname=FX0035919000000 192.168.3.3 04:d5:90:7a:50:a8 state=00000008 use=362 confirm=362 update=429 ref=3