VXLAN interfaces
You can use Virtual Extensible LAN (VXLAN) interfaces to send layer-2 traffic between FortiSwitch units over a layer-3 tunnel. VXLAN tunnels connect virtual tunnel endpoints (VTEPs) using VXLAN network identifiers (VNIs).
A FortiSwitch unit (VTEP) encapsulates traffic from a VNI and then sends it across the physical IP network using the VXLAN tunnel to another FortiSwitch unit (VTEP)
In the following configuration example, three VNIs connect four FortiSwitch units (VTEPs).
The FortiSwitch units learn remote MAC addresses by flooding broadcast, unicast, and multicast packets to each remote-ip address to find out the MAC address associated with the tunnel source.
The following requirements apply to VXLAN tunnels:
-
When you configure the VXLAN interface, the system interface defines the VXLAN tunnel terminator, and the VXLAN tunnel destination must match the
remote-ipsetting of the VXLAN tunnel initiator. -
The IP address used for the VXLAN tunnel must be a static IP address and must be the primary IP address on the interface. If the primary IP address is static but the IP address has not been configured, no VXLAN tunnel is created.
-
The
modeforconfig system interfacecannot be set todhcp; otherwise, the results are unreliable. -
The
tunnel-loopbackcan be set only on FS-1048E. Whentunnel-loopbackis set, VLAN 4087 is reserved. VLAN 4097 cannot be used on the FortiGate device. -
If you are using VXLAN with FortiLink, refer to Managing FortiSwitch units on VXLAN interfaces.
To create a VXLAN tunnel:
-
Set the UDP port for the VXLAN tunnel destination.
The range of values is 1-65535. The default port is 4789.
-
Configure the VXLAN interface.
-
Check the VXLAN configuration.
To set the VXLAN tunnel destination:
config switch global
set vxlan-port <1-65535>
end
For example:
config switch global
set vxlan-port 100
end
To configure the VXLAN interface:
config system vxlan
edit <VXLAN_interface_name>
set vni <1-16777215>
set vlanid <1-4094>
set interface <interface_name>
set ip-version {ipv4-multicast | ipv4-unicast}
set remote-ip <IPv4_address>
set tunnel-loopback <interface_name>
next
end
|
Variable |
Description |
Default |
| <VXLAN_interface_name> | Enter a name for the VXLAN interface | No default |
| vni <integer> | Required. Set the VXLAN network identifier (VNI). | 0 |
| vlanid <integer> | Required. Set the VLAN identifier that is mapped to the VNI. When tunnel-loopback is set, VLAN 4087 is reserved. |
0 |
| interface <interface_name> | Required. Enter the name of the outgoing interface for the VXLAN tunnel. | No default |
| ip-version {ipv4-multicast | ipv4-unicast} |
Required. Select the type of IPv4 address to use to communicate over the VXLAN tunnel.
|
ipv4-unicast |
| remote-ip <IPv4_address> | Required. Enter the source and destination IPv4 addresses of the VXLAN interface. The VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator. |
No default |
|
tunnel-loopback <interface_name> |
Enter the name of the tunnel-loopback interface. The |
No default |
For example, if you want to create the following two VXLAN tunnels:
|
You need to configure loopback 1.1.1.1: config system vxlan edit "vni.4094" set vni 4094 set vlan 4094 set ip-version ipv4-unicast set remote-ip "2.2.2.2" set interface "loopback" next end
config system interface edit "svi.10" set ip 192.168.0.1 next edit "loopback" set ip 1.1.1.1/32 next end |
You need to configure loopback 2.2.2.2: config system vxlan edit "vni.4094" set vni 4094 set vlan 4094 set ip-version ipv4-unicast set remote-ip "1.1.1.1" set interface "loopback" next end
config system interface edit "svi.10" set ip 192.168.0.2 next edit "loopback" set ip 2.2.2.2/32 next end |
To check the VXLAN configuration:
diagnose switch vxlan mac-address list <VXLAN_interface_name>