Fortinet black logo

Administration Guide

General VXLAN configuration and topologies

This topic describes general VXLAN configurations and commonly used topologies. In the most basic configuration, a FortiGate is configured as a VXLAN tunnel endpoint (VTEP).

To configure a FortiGate as a VTEP:
  1. Configure the local interface:

    config system vxlan
        edit <name> 
            set interface <string>
            set vni <integer> 
            set ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast}
            set dstport <integer> 
            set remote-ip <IP_address>
            set remote-ip6 <IP_address>
        next
    end

    interface <string>

    Set the local outgoing interface for the VXLAN encapsulated traffic.

    vni <integer>

    Set the VXLAN network ID.

    ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast}

    Set the IP version to use for the VXLAN device and communication over VXLAN (default = ipv4-unicast).

    dstport <integer>

    Set the VXLAN destination port (default = 4789).

    remote-ip <IP_address>

    Set the IPv4 address of the remote VXLAN endpoint.

    remote-ip6 <IP_address>

    Set the IPv6 address of the remote VXLAN endpoint.

    The VXLAN system interface is automatically created with a vxlan type.

  2. Configure the VXLAN interface settings:

    config system interface
        edit <name>
            set vdom <string>
            set type vxlan
            set ip <IP_address>
            set allowaccess {ping https ssh http telnet fgfm radius-acct probe-response fabric ftm speed-test}
        next
    end
  3. Connect the internal interface and VXLAN interface to the same L2 network.

    • Connect using a software switch:

      config system switch-interface
          edit <name>
              set vdom <string>
              set member <member_1> <member_2> ... <member_n>
              set intra-switch-policy {implicit | explicit}
          next
      end

      member <member_1> <member_2> ... <member_n>

      Enter the VXLAN interface and other physical or virtual interfaces that will share the L2 network.

      When adding an interface member to a software switch, it cannot have an IP address or be referenced in any other settings. For newly created VLAN interfaces, it is advised to change the role from LAN to undefined so that an address is not automatically assigned.

      intra-switch-policy {implicit | explicit}

      Allow any traffic between switch interfaces or require firewall policies to allow traffic between switch interfaces:

      • implicit: traffic between switch members is implicitly allowed.
      • explicit: traffic between switch members must match firewall policies (explicit firewall policies are required to allow traffic between members).
    • Connect using a virtual wire pair:

      config system virtual-wire-pair
          edit <name>
              set member <member_1> <member_2>
              set wildcard-vlan {enable | disable}
              set vlan-filter <filter>
          next
      end

      member <member_1> <member_2>

      Enter the VXLAN interface and other physical or virtual interface that will share the L2 network.

      wildcard-vlan {enable | disable}

      Enable/disable wildcard VLAN. Disable to prevent VLAN-tagged traffic between the members of the virtual wire pair (default). Enable for VLAN tags to be allowed between the members.

      vlan-filter <filter>

      When wildcard-vlan is enabled, set the VLAN filter to specify which VLANs are allowed. By default, an empty vlan-filter allows all VLANs.

  4. If using a virtual wire pair, configure a firewall policy that allows bi-directional traffic between the members of the virtual wire pair and inspection between them:

    config firewall policy
        edit <id>
            set name <name>
            set srcintf <member_1> <member_2>
            set dstintf <member_1> <member_2>
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

Topologies

Many topologies can be deployed with VXLAN. A FortiGate can connect to VXLAN endpoints that are Fortinet devices or devices from other vendors. In the following topologies, it is assumed that at least one of the VTEPs is a FortiGate. The second VTEP can be any vendor.

Basic VXLAN between two VTEPs

In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip points to port1 of VTEP 2. The VXLAN interface and port2 can be associated with the same L2 network by making them members of either a software switch or a virtual wire pair. Devices under the L2 switches are part of the same L2 network.

See Virtual wire pair with VXLAN for an example configuration.

VXLAN between two VTEPs with wildcard VLANs

In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip points to port1 of VTEP 2. The VXLAN interface is combined with port2 into the same L2 network using a virtual wire pair. The virtual wire pair allows wildcard VLANs to pass, which allows VLAN tags to be encapsulated over VXLAN. As a result, VLANs can span different switches over VXLAN.

Variations of these two scenarios can also be found in FortiGate to FortiSwitch FortiLink connections over VXLAN. See Deployment procedures in the FortiSwitch VXLAN Deployment Guide for example configurations.

VXLAN between two VTEPs over IPsec

In scenarios where VTEPs are located in different sites and traffic must be secured between the sites, VXLAN will need to be encrypted over IPsec. The VXLAN interface must use the IPsec interface as its outgoing interface. The remote-ip must be configured as the IP of the remote IPsec gateway. The VXLAN interface can be combined with port2 into the same L2 network using a software switch or virtual wire pair. Devices under the L2 switches can communicate with each other.

See VXLAN over IPsec tunnel with virtual wire pair for an example configuration. A variation of this scenario is explained in FortiGate LAN extension and in FortiExtender as FortiGate LAN extension (FortiExtender FortiGate-Managed Administration Guide).

VXLAN between multiple VTEPs in an IPsec hub and spoke topology

In this topology, an IPsec VPN hub and spoke overlay network is already configured between sites. To allow networks behind the hub and spokes to be connected together, each spoke has a VXLAN connection to the hub, and the hub allows interconnection between its private network and each of the VXLAN interfaces to the spokes. In this scenario, the private networks behind each spoke are actually on the same L2 network as the private network behind the hub.

See VXLAN over IPsec using a VXLAN tunnel endpoint for an example configuration.

This topic describes general VXLAN configurations and commonly used topologies. In the most basic configuration, a FortiGate is configured as a VXLAN tunnel endpoint (VTEP).

To configure a FortiGate as a VTEP:
  1. Configure the local interface:

    config system vxlan
        edit <name> 
            set interface <string>
            set vni <integer> 
            set ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast}
            set dstport <integer> 
            set remote-ip <IP_address>
            set remote-ip6 <IP_address>
        next
    end

    interface <string>

    Set the local outgoing interface for the VXLAN encapsulated traffic.

    vni <integer>

    Set the VXLAN network ID.

    ip-version {ipv4-unicast | ipv6-unicast | ipv4-multicast | ipv6-multicast}

    Set the IP version to use for the VXLAN device and communication over VXLAN (default = ipv4-unicast).

    dstport <integer>

    Set the VXLAN destination port (default = 4789).

    remote-ip <IP_address>

    Set the IPv4 address of the remote VXLAN endpoint.

    remote-ip6 <IP_address>

    Set the IPv6 address of the remote VXLAN endpoint.

    The VXLAN system interface is automatically created with a vxlan type.

  2. Configure the VXLAN interface settings:

    config system interface
        edit <name>
            set vdom <string>
            set type vxlan
            set ip <IP_address>
            set allowaccess {ping https ssh http telnet fgfm radius-acct probe-response fabric ftm speed-test}
        next
    end
  3. Connect the internal interface and VXLAN interface to the same L2 network.

    • Connect using a software switch:

      config system switch-interface
          edit <name>
              set vdom <string>
              set member <member_1> <member_2> ... <member_n>
              set intra-switch-policy {implicit | explicit}
          next
      end

      member <member_1> <member_2> ... <member_n>

      Enter the VXLAN interface and other physical or virtual interfaces that will share the L2 network.

      When adding an interface member to a software switch, it cannot have an IP address or be referenced in any other settings. For newly created VLAN interfaces, it is advised to change the role from LAN to undefined so that an address is not automatically assigned.

      intra-switch-policy {implicit | explicit}

      Allow any traffic between switch interfaces or require firewall policies to allow traffic between switch interfaces:

      • implicit: traffic between switch members is implicitly allowed.
      • explicit: traffic between switch members must match firewall policies (explicit firewall policies are required to allow traffic between members).
    • Connect using a virtual wire pair:

      config system virtual-wire-pair
          edit <name>
              set member <member_1> <member_2>
              set wildcard-vlan {enable | disable}
              set vlan-filter <filter>
          next
      end

      member <member_1> <member_2>

      Enter the VXLAN interface and other physical or virtual interface that will share the L2 network.

      wildcard-vlan {enable | disable}

      Enable/disable wildcard VLAN. Disable to prevent VLAN-tagged traffic between the members of the virtual wire pair (default). Enable for VLAN tags to be allowed between the members.

      vlan-filter <filter>

      When wildcard-vlan is enabled, set the VLAN filter to specify which VLANs are allowed. By default, an empty vlan-filter allows all VLANs.

  4. If using a virtual wire pair, configure a firewall policy that allows bi-directional traffic between the members of the virtual wire pair and inspection between them:

    config firewall policy
        edit <id>
            set name <name>
            set srcintf <member_1> <member_2>
            set dstintf <member_1> <member_2>
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

Topologies

Many topologies can be deployed with VXLAN. A FortiGate can connect to VXLAN endpoints that are Fortinet devices or devices from other vendors. In the following topologies, it is assumed that at least one of the VTEPs is a FortiGate. The second VTEP can be any vendor.

Basic VXLAN between two VTEPs

In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip points to port1 of VTEP 2. The VXLAN interface and port2 can be associated with the same L2 network by making them members of either a software switch or a virtual wire pair. Devices under the L2 switches are part of the same L2 network.

See Virtual wire pair with VXLAN for an example configuration.

VXLAN between two VTEPs with wildcard VLANs

In this topology, a FortiGate (VTEP 1) is configured with a VXLAN interface over port1 where the remote-ip points to port1 of VTEP 2. The VXLAN interface is combined with port2 into the same L2 network using a virtual wire pair. The virtual wire pair allows wildcard VLANs to pass, which allows VLAN tags to be encapsulated over VXLAN. As a result, VLANs can span different switches over VXLAN.

Variations of these two scenarios can also be found in FortiGate to FortiSwitch FortiLink connections over VXLAN. See Deployment procedures in the FortiSwitch VXLAN Deployment Guide for example configurations.

VXLAN between two VTEPs over IPsec

In scenarios where VTEPs are located in different sites and traffic must be secured between the sites, VXLAN will need to be encrypted over IPsec. The VXLAN interface must use the IPsec interface as its outgoing interface. The remote-ip must be configured as the IP of the remote IPsec gateway. The VXLAN interface can be combined with port2 into the same L2 network using a software switch or virtual wire pair. Devices under the L2 switches can communicate with each other.

See VXLAN over IPsec tunnel with virtual wire pair for an example configuration. A variation of this scenario is explained in FortiGate LAN extension and in FortiExtender as FortiGate LAN extension (FortiExtender FortiGate-Managed Administration Guide).

VXLAN between multiple VTEPs in an IPsec hub and spoke topology

In this topology, an IPsec VPN hub and spoke overlay network is already configured between sites. To allow networks behind the hub and spokes to be connected together, each spoke has a VXLAN connection to the hub, and the hub allows interconnection between its private network and each of the VXLAN interfaces to the spokes. In this scenario, the private networks behind each spoke are actually on the same L2 network as the private network behind the hub.

See VXLAN over IPsec using a VXLAN tunnel endpoint for an example configuration.