FortiGate LAN extension

LAN extension mode allows a remote FortiGate to provide remote connectivity to a local FortiGate over a backhaul connection.

The remote FortiGate, called the FortiGate Connector, discovers the local FortiGate, called the FortiGate Controller, and forms one or more IPsec tunnels back to the FortiGate Controller. A VXLAN is established over the IPsec tunnels creating an L2 network between the FortiGate Controller and the network behind the FortiGate Connector.

Example CLI configuration

In this example, the Controller provides secure internet access to the remote network behind the Connector. The Controller has two WAN connections: an inbound backhaul connection and an outbound internet connection. The Connector has two wired WAN/uplink ports that are connected to the internet.

After the Connector discovers the Controller and is authorized by the Controller, the Controller pushes a FortiGate LAN extension profile to the Connector. The Connector uses the profile configurations to form two IPsec tunnels back to the Controller. Additional VXLAN aggregate interfaces are automatically configured to create an L2 network between the Connector LAN port and a virtual LAN extension interface on the Controller. Clients behind the Connector can then connect to the internet through the Controller that is securing the internet connection.

To discover and authorize the FortiGate Controller:

On the FortiGate Controller:

For high-end models (1000 series and higher), enable the FortiExtender setting:

config system global
    set fortiextender enable
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

Enable IPAM and management of LAN extension interface addresses:

config system ipam
    set status enable
    set manage-lan-extension-addresses enable
end

Enable security fabric connections on port3 to allow the Connector to connect over CAPWAP:

config system interface
    edit "port3"
        set vdom "root"
        set ip 1.1.1.10 255.255.255.0
        set allowaccess fabric ping
        set ip-managed-by-fortiipam disable 			
    next
end

IPAM is specifically disabled for this interface since a static IP address is desired for this topology.

On the FortiGate Connector:

Enable VDOMs:
```
config system global
    set vdom-mode multi-vdom
end
```
You will be logged out of the device when VDOM mode is enabled.

For high-end models (1000 series and higher), enable the FortiExtender setting in the global VDOM:

config global
    config system global
        set fortiextender enable
    end
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

Create the lan-ext VDOM while setting the VDOM type to LAN extension (making the VDOM act as a FortiExtender in LAN extension mode), and add the Controller IP address:

config vdom
    edit lan-ext
        config system settings
            set vdom-type lan-extension
            set lan-extension-controller-addr "1.1.1.10"
            set ike-port 4500
        end
    next
end

Configure port1 and port2 to access the Controller:

config system interface
    edit "port1"
        set vdom "lan-ext"
        set ip 5.5.5.1 255.255.255.0
        set allowaccess ping fabric
        set type physical
        set lldp-reception enable
        set role wan
    next
    edit "port2"
        set vdom "lan-ext"
        set ip 6.6.6.1 255.255.255.0
        set allowaccess ping fabric
        set type physical
        set lldp-reception enable
        set role wan
    next
end

On the FortiGate Controller:

Extension controller configurations are automatically initialized:

config extension-controller fortigate-profile
    edit "FGCONN-lanext-default"
        set id 0
        config lan-extension
            set ipsec-tunnel "fg-ipsec-XdSpij"
            set backhaul-interface "port3"
        end
    next
end

config extension-controller fortigate
    edit "FGT60E0000000001"
        set id "FG5H1E0000000001"
        set device-id 0
        set profile "FGCONN-lanext-default"
    next
end

Authorize the Connector:

config extension-controller fortigate
    edit "FGT60E0000000001"
        set authorized enable
    next
end

After the FortiGate Connector has been authorized, the Controller pushes the IPsec tunnel configuration to the Connector, forcing it to establish the tunnel and form the VXLAN mechanism.

The VXLANs are built on the IPsec tunnels between the Connector and Controller. The VXLAN interfaces are aggregated for load balancing and redundancy. A softswitch combines the aggregate interface with the local LAN ports, allowing the LAN ports to be part of the VXLAN. This combines the local LAN ports with the virtual LAN extension interface on the FortiGate Controller.

The Connector receives the IPsec configurations from the Controller, and automatically creates tunnels for each uplink:

config vpn ipsec phase1-interface
    edit "ul-port1"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set localid "peerid-T4YLv2rp62SU6JhoCPIv02MzjLtS7P5HlxRER1Qpi6O9ZsAsbPSpvoiE"
        set dpd on-idle
        set comments "[FGCONN] Do NOT edit. Automatically generated by extension controller."
        set remote-gw 1.1.1.10
        set psksecret ******
    next
    edit "ul-port2"
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set localid "peerid-T4YLv2rp62SU6JhoCPIv02MzjLtS7P5HlxRER1Qpi6O9ZsAsbPSpvoiE"
        set dpd on-idle
        set comments "[FGCONN] Do NOT edit. Automatically generated by extension controller."
        set remote-gw 1.1.1.10
        set psksecret ******
    next
end

VXLAN interfaces are automatically configured and formed over each tunnel:

config system vxlan
    edit "vx-port1"
        set interface "ul-port1"
        set vni 1
        set dstport 9999
        set remote-ip "10.252.0.1"
    next
    edit "vx-port2"
        set interface "ul-port2"
        set vni 1
        set dstport 9999
        set remote-ip "10.252.0.1"
    next
end

An aggregate interface is automatically configured to load balance between the two VXLAN interfaces, using the source MAC and providing link redundancy:

config system interface
    edit "le-agg-link"
        set vdom "lan-ext"
        set type aggregate
        set member "vx-port1" "vx-port2"
        set snmp-index 35
        set lacp-mode static
        set algorithm Source-MAC
    next
end

The softswitch is automatically configured and bridges the aggregate interface and the local LAN to connect the LAN to the VXLAN bridged L2 network that goes to the FortiGate LAN extension interface:
```
config system switch-interface
    edit "le-switch"
        set vdom "lan-ext"
        set member "le-agg-link" "lan"
    next
end
```

To configure the LAN extension interface and firewall policy on the FortiGate Controller:

After the IPsec tunnel is setup and the VXLAN is created over the tunnel, the LAN extension interface is automatically created on the Controller:

config system interface
    edit "FGT60E0000000001"
        set vdom "root"
        set ip 192.168.0.254 255.255.255.0
        set allowaccess ping ssh
        set type lan-extension
        set role lan
        set snmp-index 27
        set ip-managed-by-fortiipam enable
        set interface "fg-ipsec-XdSpij"
    next
end

Devices on the remote LAN network will use this IP address as their gateway.

Observe that with IPAM enabled on the Controller that the DHCP server settings have been automatically configured:

config system dhcp server
    edit 3
        set dns-service default
        set default-gateway 9.9.9.99
        set netmask 255.255.255.0
        set interface "FGT60E0000000001"
        config ip-range
            edit 1
                set start-ip 9.9.9.100
                set end-ip 9.9.9.254
            next
        end
        set dhcp-settings-from-fortiipam enable
        config exclude-range
            edit 1
                set start-ip 9.9.9.254
                set end-ip 9.9.9.254
            next
        end
    next
end

Configure the firewall policy to allow traffic from the LAN extension interface to the WAN interface (port1):
```
config firewall policy
    edit "2"
        set name "lan-ext"
        set srcintf "FGT60E0000000001"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
```
Optionally, security profiles and other settings can be configured.

The policy allows remote LAN clients to access the internet through the backhaul channel. Clients in the remote LAN behind the Connector receive an IP address over DHCP and access the internet securely through the Controller.

To verify the FortiGate LAN extension configuration:

Verify the IPsec tunnels' phase 1 and phase 2 negotiations on the Controller and Connector:
```
# diagnose ike vpn gateway list 
# diagnose vpn tunnel list
```
Verify the VXLAN tunnel forwarding database list on the Controller and Connector:
```
# diagnose sys vxlan fdb list
```
Verify the DHCP server lease list on the Controller:
```
# execute dhcp lease-list
```

Verify the LAN extension session information on the Controller:

Controller-FGT # get extender session-info
Total 1 WS sessions, 0 AS sessions:
fg connector sessions:
FGT60E0000000001 : 1.1.1.10:5246 (dport 65535)lan-extension,  running,  install, data-enable, refcnt 6, miss_echos -1, up-time 1554 secs, change 1
extender sessions:

In this example, the Connector is in a working state.

Verify the LAN extension status on the Connector:*

Connector-FGT (lan-ext) # get extender lanextension-vdom-status

Control-Channel:
        controller ip: 1.1.1.0
        controller port: 5246
        controller name: FG5H1E0000000001
        missed echo: 0
        up time(seconds): 29483
        status: EXTWS_RUN
Data-Channel:
uplink [0]: port1
        IPsec tunnel ul-port1
        VxLAN interface vx-port1
uplink [1]: port2
        IPsec tunnel ul-port2
        VxLAN interface vx-port2
downlink [0]: lan

In this example, the Connector is in a working state.

Example GUI configuration NEW

In this example, an FG-301E is the FortiGate Controller, and CAPWAP access is allowed on port3. An FG-201F is the FortiGate Connector with WAN port3 connected to the FortiGate Controller, and LAN port5 is connected to the client PCs.

To configure the FortiGate LAN extension:

On the FortiGate Controller, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

config system global
    set fortiextender enable
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

On the FortiGate Controller, configure the port3 settings:
1. Go to Network > Interfaces and edit port3.
2. Set the Addressing mode to IPAM.
3. In this example, IPAM is not enabled yet. Click Enable IPAM. The IPAM Settings pane opens.
4. Set the Status to Enabled, enable FortiExtender LAN extensions, then click OK.
5. In the Administrative Access > IPv4 section, select Security Fabric Connection to enable CAPWAP on the interface.
6. Enable DHCP Server.
7. Click OK.
On the FortiGate Connector, enable VDOMs:
1. Go to System > Settings.
2. In the System Operation Settings sections, enable Virtual Domains.
3. Click OK. You will be logged out of the device when VDOM mode is enabled.

On the FortiGate Connector, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

config system global
    set fortiextender enable
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

On the FortiGate Connector, configure the LAN extension VDOM:
1. Go to System > VDOM and click Create New.
2. Enter a name (lan-extvdom) and set the Type to LAN Extension.
3. Click OK. The LAN Extension VDOM Created prompt appears.
4. Click Go to interface list page to assign a role (LAN or WAN) and the LAN extension VDOM.
On the FortiGate Connector, edit port3:
1. Set the Role to WAN.
2. Set the Virtual domain to lan-extvdom.
3. Click OK.

On the FortiGate Connector, edit port5:

Set the Role to LAN.
Set the Virtual domain to lan-extvdom.

Click OK.

Setting the Role to LAN will automatically add this interface to the le-switch LAN extension software switch, which forms an L2 network with the VXLAN.

To add more LAN ports to le-switch automatically, set the Role to LAN for other desired LAN ports.

On the FortiGate Connector, select the LAN extension VDOM, and enter the IP address of the FortiGate controller:
1. Go to Network > LAN Extension.
2. Set the Access Controller (AC) address to 172.31.0.254.
3. Click Apply.
On the FortiGate Controller, enable the FortiExtender feature visibility in the GUI, and authorize the FortiGate connector:
1. Go to System > Feature Visibility. In the Additional Features section, enable FortiExtender and click Apply.
2. Go to Network > FortiExtenders and select the Managed FortiExtenders tab.
3. Select the device, then right-click and select Authorization > Authorize.
4. Click OK to authorize the device.
On the FortiGate Controller, configure the LAN extension interface:
1. Go to Network > Interfaces and edit the LAN extension interface.
2. Set the Addressing mode to IPAM and set When to use IPAM to Inherit IPAM auto-manage settings (default).
3. Enable DHCP Server, and configure the settings as needed (see DHCP servers and relays for more information).
4. Click OK.
On the FortiGate Controller, configure the default gateway:
1. Go to Network > Static Routes and edit the default gateway settings to specify the correct internet gateway address and WAN interface.
2. Click OK.
On the FortiGate Controller, configure the firewall policy to allow traffic to pass:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set the Incoming Interface to the LAN extension interface.
3. Configure the other settings as needed.
4. Click OK.
On the FortiGate Connector, verify that the LAN extension is connected:
1. Go to Network > LAN Extension.
2. Verify that the Status is Connected.

DHCP client mode for inter-VDOM links NEW

Continuing with the same configuration as the previous example, a new VDOM named lan-extvdom was created on the FortiGate Connector and its type was set to LAN extension. This configuration allows the VDOM to function as a FortiExtender in LAN extension mode. However, it should be noted that this configuration results in the loss of FortiGate security features on that VDOM. For users who wish to utilize the security features of the FortiGate locally on the FortiGate Connector, another VDOM, such as the root VDOM, can be used.

Once the DHCP server is enabled on the FortiGate Controller (as shown in step 2 of the previous example), an inter-VDOM link belonging to another VDOM (in this case, the root VDOM) can receive an IP address by DHCP from the FortiGate Controller.

In this topology, the DHCP clients on the FortiGate Connector interact with the different DHCP servers on the FortiGate Controller.

The port3 IP address is obtained by DHCP from the FortiGate Controller DHCP server on the port3 connected interface.
The lan_ext1 IP address is obtained by DHCP from the FortiGate Controller DHCP server on the LAN extension interface.

To configure DHCP client mode on the inter-VDOM link on the FortiGate Connector:

Add the VDOM link with an Ethernet type:

config system vdom-link
    edit "lan-extvdom"
        set type ethernet
    next
end

Configure the VDOM link interfaces:
```
config system interface
    edit "lan_ext0"
        set vdom "lan-extvdom"
        set role lan
    next
    edit "lan_ext1"
        set vdom "root"
        set mode dhcp
    next
end
```
Since lan_ext0 has its role set to lan, this interface is added to the le-switch software switch in the lan-extvdom VDOM. This software switch provides network connectivity to the LAN extension clients (in the previous example) and the root VDOM clients (in this example) through the FortiGate Connector LAN extension VXLAN aggregate link.
Verify that the lan_ext1 interface obtained an IP address from the FortiGate Controller (the client IP address for the lan_ext1 VDOM link is from the same 192.168.0.0/24 subnet in step 10c of the previous example):
```
Connector-FGT (lan-ext) # diagnose ip address list | grep lan_ext1
IP=192.168.0.1->192.168.0.1/255.255.255.0 index=30 devname=lan_ext1 
```

FortiGate LAN extension

LAN extension mode allows a remote FortiGate to provide remote connectivity to a local FortiGate over a backhaul connection.

Example CLI configuration

To discover and authorize the FortiGate Controller:

On the FortiGate Controller:

For high-end models (1000 series and higher), enable the FortiExtender setting:

config system global
    set fortiextender enable
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

Enable IPAM and management of LAN extension interface addresses:

config system ipam
    set status enable
    set manage-lan-extension-addresses enable
end

Enable security fabric connections on port3 to allow the Connector to connect over CAPWAP:

config system interface
    edit "port3"
        set vdom "root"
        set ip 1.1.1.10 255.255.255.0
        set allowaccess fabric ping
        set ip-managed-by-fortiipam disable 			
    next
end

IPAM is specifically disabled for this interface since a static IP address is desired for this topology.

On the FortiGate Connector:

Enable VDOMs:
```
config system global
    set vdom-mode multi-vdom
end
```
You will be logged out of the device when VDOM mode is enabled.

For high-end models (1000 series and higher), enable the FortiExtender setting in the global VDOM:

config global
    config system global
        set fortiextender enable
    end
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

Create the lan-ext VDOM while setting the VDOM type to LAN extension (making the VDOM act as a FortiExtender in LAN extension mode), and add the Controller IP address:

config vdom
    edit lan-ext
        config system settings
            set vdom-type lan-extension
            set lan-extension-controller-addr "1.1.1.10"
            set ike-port 4500
        end
    next
end

Configure port1 and port2 to access the Controller:

config system interface
    edit "port1"
        set vdom "lan-ext"
        set ip 5.5.5.1 255.255.255.0
        set allowaccess ping fabric
        set type physical
        set lldp-reception enable
        set role wan
    next
    edit "port2"
        set vdom "lan-ext"
        set ip 6.6.6.1 255.255.255.0
        set allowaccess ping fabric
        set type physical
        set lldp-reception enable
        set role wan
    next
end

On the FortiGate Controller:

Extension controller configurations are automatically initialized:

config extension-controller fortigate-profile
    edit "FGCONN-lanext-default"
        set id 0
        config lan-extension
            set ipsec-tunnel "fg-ipsec-XdSpij"
            set backhaul-interface "port3"
        end
    next
end

config extension-controller fortigate
    edit "FGT60E0000000001"
        set id "FG5H1E0000000001"
        set device-id 0
        set profile "FGCONN-lanext-default"
    next
end

Authorize the Connector:

config extension-controller fortigate
    edit "FGT60E0000000001"
        set authorized enable
    next
end

After the FortiGate Connector has been authorized, the Controller pushes the IPsec tunnel configuration to the Connector, forcing it to establish the tunnel and form the VXLAN mechanism.

The Connector receives the IPsec configurations from the Controller, and automatically creates tunnels for each uplink:

config vpn ipsec phase1-interface
    edit "ul-port1"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set localid "peerid-T4YLv2rp62SU6JhoCPIv02MzjLtS7P5HlxRER1Qpi6O9ZsAsbPSpvoiE"
        set dpd on-idle
        set comments "[FGCONN] Do NOT edit. Automatically generated by extension controller."
        set remote-gw 1.1.1.10
        set psksecret ******
    next
    edit "ul-port2"
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set localid "peerid-T4YLv2rp62SU6JhoCPIv02MzjLtS7P5HlxRER1Qpi6O9ZsAsbPSpvoiE"
        set dpd on-idle
        set comments "[FGCONN] Do NOT edit. Automatically generated by extension controller."
        set remote-gw 1.1.1.10
        set psksecret ******
    next
end

VXLAN interfaces are automatically configured and formed over each tunnel:

config system vxlan
    edit "vx-port1"
        set interface "ul-port1"
        set vni 1
        set dstport 9999
        set remote-ip "10.252.0.1"
    next
    edit "vx-port2"
        set interface "ul-port2"
        set vni 1
        set dstport 9999
        set remote-ip "10.252.0.1"
    next
end

An aggregate interface is automatically configured to load balance between the two VXLAN interfaces, using the source MAC and providing link redundancy:

config system interface
    edit "le-agg-link"
        set vdom "lan-ext"
        set type aggregate
        set member "vx-port1" "vx-port2"
        set snmp-index 35
        set lacp-mode static
        set algorithm Source-MAC
    next
end

The softswitch is automatically configured and bridges the aggregate interface and the local LAN to connect the LAN to the VXLAN bridged L2 network that goes to the FortiGate LAN extension interface:
```
config system switch-interface
    edit "le-switch"
        set vdom "lan-ext"
        set member "le-agg-link" "lan"
    next
end
```

To configure the LAN extension interface and firewall policy on the FortiGate Controller:

After the IPsec tunnel is setup and the VXLAN is created over the tunnel, the LAN extension interface is automatically created on the Controller:

config system interface
    edit "FGT60E0000000001"
        set vdom "root"
        set ip 192.168.0.254 255.255.255.0
        set allowaccess ping ssh
        set type lan-extension
        set role lan
        set snmp-index 27
        set ip-managed-by-fortiipam enable
        set interface "fg-ipsec-XdSpij"
    next
end

Devices on the remote LAN network will use this IP address as their gateway.

Observe that with IPAM enabled on the Controller that the DHCP server settings have been automatically configured:

config system dhcp server
    edit 3
        set dns-service default
        set default-gateway 9.9.9.99
        set netmask 255.255.255.0
        set interface "FGT60E0000000001"
        config ip-range
            edit 1
                set start-ip 9.9.9.100
                set end-ip 9.9.9.254
            next
        end
        set dhcp-settings-from-fortiipam enable
        config exclude-range
            edit 1
                set start-ip 9.9.9.254
                set end-ip 9.9.9.254
            next
        end
    next
end

Configure the firewall policy to allow traffic from the LAN extension interface to the WAN interface (port1):
```
config firewall policy
    edit "2"
        set name "lan-ext"
        set srcintf "FGT60E0000000001"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
```
Optionally, security profiles and other settings can be configured.

The policy allows remote LAN clients to access the internet through the backhaul channel. Clients in the remote LAN behind the Connector receive an IP address over DHCP and access the internet securely through the Controller.

To verify the FortiGate LAN extension configuration:

Verify the IPsec tunnels' phase 1 and phase 2 negotiations on the Controller and Connector:
```
# diagnose ike vpn gateway list 
# diagnose vpn tunnel list
```
Verify the VXLAN tunnel forwarding database list on the Controller and Connector:
```
# diagnose sys vxlan fdb list
```
Verify the DHCP server lease list on the Controller:
```
# execute dhcp lease-list
```

Verify the LAN extension session information on the Controller:

Controller-FGT # get extender session-info
Total 1 WS sessions, 0 AS sessions:
fg connector sessions:
FGT60E0000000001 : 1.1.1.10:5246 (dport 65535)lan-extension,  running,  install, data-enable, refcnt 6, miss_echos -1, up-time 1554 secs, change 1
extender sessions:

In this example, the Connector is in a working state.

Verify the LAN extension status on the Connector:*

Connector-FGT (lan-ext) # get extender lanextension-vdom-status

Control-Channel:
        controller ip: 1.1.1.0
        controller port: 5246
        controller name: FG5H1E0000000001
        missed echo: 0
        up time(seconds): 29483
        status: EXTWS_RUN
Data-Channel:
uplink [0]: port1
        IPsec tunnel ul-port1
        VxLAN interface vx-port1
uplink [1]: port2
        IPsec tunnel ul-port2
        VxLAN interface vx-port2
downlink [0]: lan

In this example, the Connector is in a working state.

Example GUI configuration NEW

To configure the FortiGate LAN extension:

On the FortiGate Controller, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

config system global
    set fortiextender enable
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

On the FortiGate Controller, configure the port3 settings:
1. Go to Network > Interfaces and edit port3.
2. Set the Addressing mode to IPAM.
3. In this example, IPAM is not enabled yet. Click Enable IPAM. The IPAM Settings pane opens.
4. Set the Status to Enabled, enable FortiExtender LAN extensions, then click OK.
5. In the Administrative Access > IPv4 section, select Security Fabric Connection to enable CAPWAP on the interface.
6. Enable DHCP Server.
7. Click OK.
On the FortiGate Connector, enable VDOMs:
1. Go to System > Settings.
2. In the System Operation Settings sections, enable Virtual Domains.
3. Click OK. You will be logged out of the device when VDOM mode is enabled.

On the FortiGate Connector, enable the FortiExtender setting. For high-end models (1000 series and higher) and VM models, enter:

config system global
    set fortiextender enable
end

This command is configured by default on entry-level and mid-range models (900 series and lower).

On the FortiGate Connector, configure the LAN extension VDOM:
1. Go to System > VDOM and click Create New.
2. Enter a name (lan-extvdom) and set the Type to LAN Extension.
3. Click OK. The LAN Extension VDOM Created prompt appears.
4. Click Go to interface list page to assign a role (LAN or WAN) and the LAN extension VDOM.
On the FortiGate Connector, edit port3:
1. Set the Role to WAN.
2. Set the Virtual domain to lan-extvdom.
3. Click OK.

On the FortiGate Connector, edit port5:

Set the Role to LAN.
Set the Virtual domain to lan-extvdom.

Click OK.

Setting the Role to LAN will automatically add this interface to the le-switch LAN extension software switch, which forms an L2 network with the VXLAN.

To add more LAN ports to le-switch automatically, set the Role to LAN for other desired LAN ports.

On the FortiGate Connector, select the LAN extension VDOM, and enter the IP address of the FortiGate controller:
1. Go to Network > LAN Extension.
2. Set the Access Controller (AC) address to 172.31.0.254.
3. Click Apply.
On the FortiGate Controller, enable the FortiExtender feature visibility in the GUI, and authorize the FortiGate connector:
1. Go to System > Feature Visibility. In the Additional Features section, enable FortiExtender and click Apply.
2. Go to Network > FortiExtenders and select the Managed FortiExtenders tab.
3. Select the device, then right-click and select Authorization > Authorize.
4. Click OK to authorize the device.
On the FortiGate Controller, configure the LAN extension interface:
1. Go to Network > Interfaces and edit the LAN extension interface.
2. Set the Addressing mode to IPAM and set When to use IPAM to Inherit IPAM auto-manage settings (default).
3. Enable DHCP Server, and configure the settings as needed (see DHCP servers and relays for more information).
4. Click OK.
On the FortiGate Controller, configure the default gateway:
1. Go to Network > Static Routes and edit the default gateway settings to specify the correct internet gateway address and WAN interface.
2. Click OK.
On the FortiGate Controller, configure the firewall policy to allow traffic to pass:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Set the Incoming Interface to the LAN extension interface.
3. Configure the other settings as needed.
4. Click OK.
On the FortiGate Connector, verify that the LAN extension is connected:
1. Go to Network > LAN Extension.
2. Verify that the Status is Connected.

DHCP client mode for inter-VDOM links NEW

In this topology, the DHCP clients on the FortiGate Connector interact with the different DHCP servers on the FortiGate Controller.

The port3 IP address is obtained by DHCP from the FortiGate Controller DHCP server on the port3 connected interface.
The lan_ext1 IP address is obtained by DHCP from the FortiGate Controller DHCP server on the LAN extension interface.

To configure DHCP client mode on the inter-VDOM link on the FortiGate Connector:

Add the VDOM link with an Ethernet type:

config system vdom-link
    edit "lan-extvdom"
        set type ethernet
    next
end

Configure the VDOM link interfaces:
```
config system interface
    edit "lan_ext0"
        set vdom "lan-extvdom"
        set role lan
    next
    edit "lan_ext1"
        set vdom "root"
        set mode dhcp
    next
end
```
Since lan_ext0 has its role set to lan, this interface is added to the le-switch software switch in the lan-extvdom VDOM. This software switch provides network connectivity to the LAN extension clients (in the previous example) and the root VDOM clients (in this example) through the FortiGate Connector LAN extension VXLAN aggregate link.
Verify that the lan_ext1 interface obtained an IP address from the FortiGate Controller (the client IP address for the lan_ext1 VDOM link is from the same 192.168.0.0/24 subnet in step 10c of the previous example):
```
Connector-FGT (lan-ext) # diagnose ip address list | grep lan_ext1
IP=192.168.0.1->192.168.0.1/255.255.255.0 index=30 devname=lan_ext1 
```

Administration Guide

FortiGate LAN extension

FortiGate LAN extension

Example CLI configuration

To discover and authorize the FortiGate Controller:

To configure the LAN extension interface and firewall policy on the FortiGate Controller:

To verify the FortiGate LAN extension configuration:

Example GUI configuration NEW

To configure the FortiGate LAN extension:

DHCP client mode for inter-VDOM links NEW

To configure DHCP client mode on the inter-VDOM link on the FortiGate Connector:

More Links

FortiGate LAN extension

Example CLI configuration

To discover and authorize the FortiGate Controller:

To configure the LAN extension interface and firewall policy on the FortiGate Controller:

To verify the FortiGate LAN extension configuration:

Example GUI configuration NEW

To configure the FortiGate LAN extension:

DHCP client mode for inter-VDOM links NEW

To configure DHCP client mode on the inter-VDOM link on the FortiGate Connector: