General VXLAN configuration and topologies
This topic describes general VXLAN configurations and commonly used topologies. In the most basic configuration, a FortiGate is configured as a VXLAN tunnel endpoint (VTEP).
To configure a FortiGate as a VTEP:
-
Configure the local interface:
config system vxlan edit <name> set interface <string> set vni <integer> set ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast} set dstport <integer> set remote-ip <IP_address> set remote-ip6 <IP_address> next end
interface <string>
Set the local outgoing interface for the VXLAN encapsulated traffic.
vni <integer>
Set the VXLAN network ID.
ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast}
Set the IP version to use for the VXLAN device and communication over VXLAN (default = ipv4-unicast).
dstport <integer>
Set the VXLAN destination port (default = 4789).
remote-ip <IP_address>
Set the IPv4 address of the remote VXLAN endpoint.
remote-ip6 <IP_address>
Set the IPv6 address of the remote VXLAN endpoint.
The VXLAN system interface is automatically created with a
vxlan
type. -
Configure the VXLAN interface settings:
config system interface edit <name> set vdom <string> set type vxlan set ip <IP_address> set allowaccess {ping https ssh http telnet fgfm radius-acct probe-response fabric ftm speed-test} next end
-
Connect the internal interface and VXLAN interface to the same L2 network.
-
Connect using a software switch:
config system switch-interface edit <name> set vdom <string> set member <member_1> <member_2> ... <member_n> set intra-switch-policy {implicit | explicit} next end
member <member_1> <member_2> ... <member_n>
Enter the VXLAN interface and other physical or virtual interfaces that will share the L2 network.
When adding an interface member to a software switch, it cannot have an IP address or be referenced in any other settings.
intra-switch-policy {implicit | explicit}
Allow any traffic between switch interfaces or require firewall policies to allow traffic between switch interfaces:
implicit
: traffic between switch members is implicitly allowed.explicit
: traffic between switch members must match firewall policies (explicit firewall policies are required to allow traffic between members).
When in explicit mode, traffic can be offloaded to SOC4/SOC5/NP6/NP7 processors.
-
Connect using a virtual wire pair:
config system virtual-wire-pair edit <name> set member <member_1> <member_2> set wildcard-vlan {enable | disable} set vlan-filter <filter> next end
member <member_1> <member_2>
Enter the VXLAN interface and other physical or virtual interface that will share the L2 network.
wildcard-vlan {enable | disable}
Enable/disable wildcard VLAN. Disable to prevent VLAN-tagged traffic between the members of the virtual wire pair (default). Enable for VLAN tags to be allowed between the members.
vlan-filter <filter>
When wildcard-vlan is enabled, set the VLAN filter to specify which VLANs are allowed. By default, an empty vlan-filter allows all VLANs.
-
-
If using a virtual wire pair, configure a firewall policy that allows bi-directional traffic between the members of the virtual wire pair and inspection between them:
config firewall policy edit <id> set name <name> set srcintf <member_1> <member_2> set dstintf <member_1> <member_2> set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Topologies
Many topologies can be deployed with VXLAN. A FortiGate can connect to VXLAN endpoints that are Fortinet devices or devices from other vendors. In the following topologies, it is assumed that at least one of the VTEPs is a FortiGate. The second VTEP can be any vendor.
Basic VXLAN between two VTEPs
In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip
points to port1 of VTEP 2. The VXLAN interface and port2 can be associated with the same L2 network by making them members of either a software switch or a virtual wire pair. Devices under the L2 switches are part of the same L2 network.
See Virtual wire pair with VXLAN for an example configuration.
VXLAN between two VTEPs with wildcard VLANs
In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip
points to port1 of VTEP 2. The VXLAN interface is combined with port2 into the same L2 network using a virtual wire pair. The virtual wire pair allows wildcard VLANs to pass, which allows VLAN tags to be encapsulated over VXLAN. As a result, VLANs can span different switches over VXLAN.
Variations of these two scenarios can also be found in FortiGate to FortiSwitch FortiLink connections over VXLAN. See Deployment procedures in the FortiSwitch VXLAN Deployment Guide for example configurations.
VXLAN between two VTEPs over IPsec
In scenarios where VTEPs are located in different sites and traffic must be secured between the sites, VXLAN will need to be encrypted over IPsec. The VXLAN interface must use the IPsec interface as its outgoing interface. The remote-ip
must be configured as the IP of the remote IPsec gateway. The VXLAN interface can be combined with port2 into the same L2 network using a software switch or virtual wire pair. Devices under the L2 switches can communicate with each other.
See VXLAN over IPsec tunnel with virtual wire pair for an example configuration. A variation of this scenario is explained in FortiExtender as FortiGate LAN extension (FortiExtender FortiGate-Managed Administration Guide).
VXLAN between multiple VTEPs in an IPsec hub and spoke topology
In this topology, an IPsec VPN hub and spoke overlay network is already configured between sites. To allow networks behind the hub and spokes to be connected together, each spoke has a VXLAN connection to the hub, and the hub allows interconnection between its private network and each of the VXLAN interfaces to the spokes. In this scenario, the private networks behind each spoke are actually on the same L2 network as the private network behind the hub.
See VXLAN over IPsec using a VXLAN tunnel endpoint for an example configuration.