Fortinet black logo

New Features

Home FortiGate / FortiOS 7.2.0 New Features

Manage FortiSwitch units on VXLAN interfaces

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:44849
Download PDF

Manage FortiSwitch units on VXLAN interfaces

You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device.

In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can managed the FortiSwitch unit.

To manage the FortiSwitch unit with the VXLAN interface:

  1. Configure the FortiSwitch unit.

  2. Configure the FortiGate device.

Configure the FortiSwitch unit

  1. Configure a VLAN to use as the VXLAN interface.

    config system interface

    edit "vlan-1000"

    set ip 10.200.1.2 255.255.255.0

    set vlanid 1000

    set interface "internal"

    next

    end

  2. Configure the VXLAN interface with the remote IP address of the FortiGate device.

    config system vxlan

    edit "vx-4094"

    set vni 123456

    set vlanid 4094

    set interface "vlan-1000"

    set remote-ip "10.100.1.1"

    next

    end

  3. Configure a static route with the VXLAN remote IP address as the destination.

    config router static

    edit 1

    set device "vlan-1000"

    set dst 10.100.1.1 255.255.255.255

    set gateway 10.200.1.50

    next

    end

  4. Set up the switch port that physically connects to the router and enable FortiLink mode over layer-3 network.

    config switch interface

    edit port19

    set fortilink-l3-mode enable

    end

  5. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

    config switch trunk

    edit "__FoRtILnk0L3__"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port19"

    next

    end

  6. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1.

    config switch interface

    edit "__FoRtILnk0L3__"

    set native-vlan 1000

    set allowed-vlans 1,1000,4088-4094

    set dhcp-snooping trusted

    ....

    next

    end

  7. Enable DHCP discovery.

    config switch-controller global

    set ac-discovery-type dhcp

    end

Configure the FortiGate device

  1. Configure the system interface.

    config system interface

    edit "port2"

    set vdom "root"

    set ip 10.100.1.1 255.255.255.0

    set allowaccess ping https http

    set type physical

    set snmp-index 4

    next

    end

  2. Configure the VXLAN interface.

    config system vxlan

    edit "flk-vxlan"

    set interface "port2"

    set vni 123456

    set remote-ip "10.200.1.2"

    next

    end

  3. Configure the FortiLink interface as the VXLAN type and set the IP address.

    config system interface

    edit "flk-vxlan"

    set vdom "root"

    set fortilink enable

    set ip 10.255.2.1 255.255.255.0

    set allowaccess ping fabric

    set type vxlan

    set lldp-reception enable

    set lldp-transmission enable

    set snmp-index 26

    set interface "port2"

    next

    end

  4. Configure a static route.

    config router static

    edit 2

    set dst 10.200.1.0 255.255.255.0

    set gateway 10.100.1.50

    set distance 5

    set device "port2"

    next

    end

  5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

    config system dhcp server

    edit 6

    set dns-service local

    set ntp-service local

    set default-gateway 10.255.2.1

    set netmask 255.255.255.0

    set interface "flk-vxlan"

    config ip-range

    edit 1

    set start-ip 10.255.2.2

    set end-ip 10.255.2.254

    next

    end

    config options

    edit 1

    set code 138

    set type ip

    set ip "10.255.2.1"

    next

    end

    set vci-match enable

    set vci-string "FortiSwitch"

    next

    end

Previous
Next

Manage FortiSwitch units on VXLAN interfaces

You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device.

In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can managed the FortiSwitch unit.

To manage the FortiSwitch unit with the VXLAN interface:

  1. Configure the FortiSwitch unit.

  2. Configure the FortiGate device.

Configure the FortiSwitch unit

  1. Configure a VLAN to use as the VXLAN interface.

    config system interface

    edit "vlan-1000"

    set ip 10.200.1.2 255.255.255.0

    set vlanid 1000

    set interface "internal"

    next

    end

  2. Configure the VXLAN interface with the remote IP address of the FortiGate device.

    config system vxlan

    edit "vx-4094"

    set vni 123456

    set vlanid 4094

    set interface "vlan-1000"

    set remote-ip "10.100.1.1"

    next

    end

  3. Configure a static route with the VXLAN remote IP address as the destination.

    config router static

    edit 1

    set device "vlan-1000"

    set dst 10.100.1.1 255.255.255.255

    set gateway 10.200.1.50

    next

    end

  4. Set up the switch port that physically connects to the router and enable FortiLink mode over layer-3 network.

    config switch interface

    edit port19

    set fortilink-l3-mode enable

    end

  5. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

    config switch trunk

    edit "__FoRtILnk0L3__"

    set auto-isl 1

    set static-isl enable

    set static-isl-auto-vlan disable

    set members "port19"

    next

    end

  6. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1.

    config switch interface

    edit "__FoRtILnk0L3__"

    set native-vlan 1000

    set allowed-vlans 1,1000,4088-4094

    set dhcp-snooping trusted

    ....

    next

    end

  7. Enable DHCP discovery.

    config switch-controller global

    set ac-discovery-type dhcp

    end

Configure the FortiGate device

  1. Configure the system interface.

    config system interface

    edit "port2"

    set vdom "root"

    set ip 10.100.1.1 255.255.255.0

    set allowaccess ping https http

    set type physical

    set snmp-index 4

    next

    end

  2. Configure the VXLAN interface.

    config system vxlan

    edit "flk-vxlan"

    set interface "port2"

    set vni 123456

    set remote-ip "10.200.1.2"

    next

    end

  3. Configure the FortiLink interface as the VXLAN type and set the IP address.

    config system interface

    edit "flk-vxlan"

    set vdom "root"

    set fortilink enable

    set ip 10.255.2.1 255.255.255.0

    set allowaccess ping fabric

    set type vxlan

    set lldp-reception enable

    set lldp-transmission enable

    set snmp-index 26

    set interface "port2"

    next

    end

  4. Configure a static route.

    config router static

    edit 2

    set dst 10.200.1.0 255.255.255.0

    set gateway 10.100.1.50

    set distance 5

    set device "port2"

    next

    end

  5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

    config system dhcp server

    edit 6

    set dns-service local

    set ntp-service local

    set default-gateway 10.255.2.1

    set netmask 255.255.255.0

    set interface "flk-vxlan"

    config ip-range

    edit 1

    set start-ip 10.255.2.2

    set end-ip 10.255.2.254

    next

    end

    config options

    edit 1

    set code 138

    set type ip

    set ip "10.255.2.1"

    next

    end

    set vci-match enable

    set vci-string "FortiSwitch"

    next

    end

Previous
Next