Fortinet black logo

Administration Guide

VXLAN interfaces

Copy Link
Copy Doc ID f65c09ce-240d-11ed-9eba-fa163e15d75b:44849
Download PDF

VXLAN interfaces

You can use Virtual Extensible LAN (VXLAN) interfaces to send layer-2 traffic between FortiSwitch units over a layer-3 tunnel. VXLAN tunnels connect virtual tunnel endpoints (VTEPs) using VXLAN network identifiers (VNIs).

A FortiSwitch unit (VTEP) encapsulates traffic from a VNI and then sends it across the physical IP network using the VXLAN tunnel to another FortiSwitch unit (VTEP)

In the following configuration example, three VNIs connect four FortiSwitch units (VTEPs).

The FortiSwitch units learn remote MAC addresses by flooding broadcast, unicast, and multicast packets to each remote-ip address to find out the MAC address associated with the tunnel source.

The following requirements apply to VXLAN tunnels:

  • When you configure the VXLAN interface, the system interface defines the VXLAN tunnel destination, and the VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator.

  • The IP address used for the VXLAN tunnel must be a static IP address and must be the primary IP address on the interface. If the primary IP address is static but the IP address has not been configured, no VXLAN tunnel is created.

  • The mode for config system interface cannot be set to dhcp; otherwise, the results are unreliable.

  • If you are using VXLAN with FortiLink, refer to Managing FortiSwitch units on VXLAN interfaces.

To create a VXLAN tunnel:
  1. Set the UDP port for the VXLAN tunnel destination.

    The range of values is 1-65535. The default port is 4789.

  2. Configure the VXLAN interface.

  3. Check the VXLAN configuration.

To set the VXLAN tunnel destination:

config switch global

set vxlan-port <1-65535>

end

For example:

config switch global

set vxlan-port 100

end

To configure the VXLAN interface:

config system vxlan

edit <VXLAN_interface_name>

set vni <1-16777215>

set vlanid <1-4094>

set interface <interface_name>

set ip-version {ipv4-multicast | ipv4-unicast}

set remote-ip <IPv4_address>

next

end

Variable

Description

Default

<VXLAN_interface_name> Enter a name for the VXLAN interface No default
vni <integer> Required. Set the VXLAN network identifier (VNI). The range of values is 1-16777215. 0
vlanid <integer> Required. Set the VLAN identifier that is mapped to the VNI. When tunnel-loopback is set, VLAN 4087 is reserved. 0
interface <interface_name> Required. Enter the name of the outgoing interface for the VXLAN tunnel. Starting in FortiSwitchOS 7.2.1, you can specify a routed VLAN interface (RVI). No default
ip-version {ipv4-multicast | ipv4-unicast}

Required. Select the type of IPv4 address to use to communicate over the VXLAN tunnel.

  • ipv4-multicast—Use IPv4 multicast addressing over the VXLAN tunnel.

  • ipv4-unicast—Use IPv4 unicast addressing over the VXLAN tunnel.

ipv4-unicast
remote-ip <IPv4_address> Required. Enter the source and destination IPv4 addresses of the VXLAN interface. The VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator. Starting in FortiSwitchOS 7.2.1, you can specify an RVI as the source or destination IPv4 address. No default

For example, if you want to create the following two VXLAN tunnels:

To configure loopback 1.1.1.1:

config system vxlan

edit "vni.4094"

set vni 4094

set vlanid 4094

set ip-version ipv4-unicast

set remote-ip "2.2.2.2"

set interface "loopback"

next

end

config system interface

edit "svi.10"

set ip 192.168.0.1

next

edit "loopback"

set ip 1.1.1.1/32

next

end

To configure loopback 2.2.2.2:

config system vxlan

edit "vni.4094"

set vni 4094

set vlanid 4094

set ip-version ipv4-unicast

set remote-ip "1.1.1.1"

set interface "loopback"

next

end

config system interface

edit "svi.10"

set ip 192.168.0.2

next

edit "loopback"

set ip 2.2.2.2/32

next

end

To check the VXLAN configuration:

diagnose switch vxlan mac-address list <VXLAN_interface_name>

STP virtual root

Starting in FortiSwitchOS 7.2.1, you can prevent layer-2 loops between VTEPs. When the STP virtual root feature is enabled on all VTEPs in a VXLAN tunnel, the FortiSwitch units act as a single STP root so that no loops can form between any of the switches.

For example, in the following topology, the user has accidentally configured a loop between switch E1 and switch E3:

Using the STP virtual root feature, the loop between switch E1 and switch E3 is prevented:

tooltip icon For the STP virtual root feature to work correctly, the core of the network must be a routed layer-3 network that is not participating in the Spanning Tree Protocol. Commonly, the network is using routed interfaces instead that terminate the layer-2 network.

By default, the STP virtual root feature is disabled. After you enable this feature, the MAC address for the virtual STP root is set to 08:5B:0E:00:00:00 by default, and the STP instance priority is set to 0. If you want to use a different MAC address for the virtual STP root, you can configure any unicast MAC address, but the same MAC address must be configured on all VTEPs in the VXLAN tunnel. If there are different MAC addresses configured on the VTEPs, there will be an “ERROR: virtual-root enable, not root!” listed on the Switch > STP > Instances page.

The VTEPs must meet one of the following requirements to become an STP virtual root:

  • Run IEEE 802.1s multiple Spanning Tree Protocol (MSTP) and belong to a Common and Internal Spanning Tree (CIST).

  • Run IEEE 802.1s MSTP and are in the same MSTP region.

  • Run IEEE 802.1D Spanning Tree Protocol (STP).

  • Run IEEE 802.1w Rapid Spanning Tree Protocol (RSTP).

  • Support interoperation with per-VLAN Rapid Spanning Tree (RPVST) with their roots within FortiSwitch units.

note icon If you are using an SVI that is associated with one or more VLANs on the network side, Fortinet recommends locating the network-side VLAN and the access-side VLAN on different STP instances.

To create the STP virtual root, configure the following commands on all VTEPs in a VXLAN tunnel:

config switch global

set vxlan-stp-virtual-root enable

set vxlan-stp-virtual-mac <MAC_address>

end

VXLAN interfaces

You can use Virtual Extensible LAN (VXLAN) interfaces to send layer-2 traffic between FortiSwitch units over a layer-3 tunnel. VXLAN tunnels connect virtual tunnel endpoints (VTEPs) using VXLAN network identifiers (VNIs).

A FortiSwitch unit (VTEP) encapsulates traffic from a VNI and then sends it across the physical IP network using the VXLAN tunnel to another FortiSwitch unit (VTEP)

In the following configuration example, three VNIs connect four FortiSwitch units (VTEPs).

The FortiSwitch units learn remote MAC addresses by flooding broadcast, unicast, and multicast packets to each remote-ip address to find out the MAC address associated with the tunnel source.

The following requirements apply to VXLAN tunnels:

  • When you configure the VXLAN interface, the system interface defines the VXLAN tunnel destination, and the VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator.

  • The IP address used for the VXLAN tunnel must be a static IP address and must be the primary IP address on the interface. If the primary IP address is static but the IP address has not been configured, no VXLAN tunnel is created.

  • The mode for config system interface cannot be set to dhcp; otherwise, the results are unreliable.

  • If you are using VXLAN with FortiLink, refer to Managing FortiSwitch units on VXLAN interfaces.

To create a VXLAN tunnel:
  1. Set the UDP port for the VXLAN tunnel destination.

    The range of values is 1-65535. The default port is 4789.

  2. Configure the VXLAN interface.

  3. Check the VXLAN configuration.

To set the VXLAN tunnel destination:

config switch global

set vxlan-port <1-65535>

end

For example:

config switch global

set vxlan-port 100

end

To configure the VXLAN interface:

config system vxlan

edit <VXLAN_interface_name>

set vni <1-16777215>

set vlanid <1-4094>

set interface <interface_name>

set ip-version {ipv4-multicast | ipv4-unicast}

set remote-ip <IPv4_address>

next

end

Variable

Description

Default

<VXLAN_interface_name> Enter a name for the VXLAN interface No default
vni <integer> Required. Set the VXLAN network identifier (VNI). The range of values is 1-16777215. 0
vlanid <integer> Required. Set the VLAN identifier that is mapped to the VNI. When tunnel-loopback is set, VLAN 4087 is reserved. 0
interface <interface_name> Required. Enter the name of the outgoing interface for the VXLAN tunnel. Starting in FortiSwitchOS 7.2.1, you can specify a routed VLAN interface (RVI). No default
ip-version {ipv4-multicast | ipv4-unicast}

Required. Select the type of IPv4 address to use to communicate over the VXLAN tunnel.

  • ipv4-multicast—Use IPv4 multicast addressing over the VXLAN tunnel.

  • ipv4-unicast—Use IPv4 unicast addressing over the VXLAN tunnel.

ipv4-unicast
remote-ip <IPv4_address> Required. Enter the source and destination IPv4 addresses of the VXLAN interface. The VXLAN tunnel destination must match the remote-ip setting of the VXLAN tunnel initiator. Starting in FortiSwitchOS 7.2.1, you can specify an RVI as the source or destination IPv4 address. No default

For example, if you want to create the following two VXLAN tunnels:

To configure loopback 1.1.1.1:

config system vxlan

edit "vni.4094"

set vni 4094

set vlanid 4094

set ip-version ipv4-unicast

set remote-ip "2.2.2.2"

set interface "loopback"

next

end

config system interface

edit "svi.10"

set ip 192.168.0.1

next

edit "loopback"

set ip 1.1.1.1/32

next

end

To configure loopback 2.2.2.2:

config system vxlan

edit "vni.4094"

set vni 4094

set vlanid 4094

set ip-version ipv4-unicast

set remote-ip "1.1.1.1"

set interface "loopback"

next

end

config system interface

edit "svi.10"

set ip 192.168.0.2

next

edit "loopback"

set ip 2.2.2.2/32

next

end

To check the VXLAN configuration:

diagnose switch vxlan mac-address list <VXLAN_interface_name>

STP virtual root

Starting in FortiSwitchOS 7.2.1, you can prevent layer-2 loops between VTEPs. When the STP virtual root feature is enabled on all VTEPs in a VXLAN tunnel, the FortiSwitch units act as a single STP root so that no loops can form between any of the switches.

For example, in the following topology, the user has accidentally configured a loop between switch E1 and switch E3:

Using the STP virtual root feature, the loop between switch E1 and switch E3 is prevented:

tooltip icon For the STP virtual root feature to work correctly, the core of the network must be a routed layer-3 network that is not participating in the Spanning Tree Protocol. Commonly, the network is using routed interfaces instead that terminate the layer-2 network.

By default, the STP virtual root feature is disabled. After you enable this feature, the MAC address for the virtual STP root is set to 08:5B:0E:00:00:00 by default, and the STP instance priority is set to 0. If you want to use a different MAC address for the virtual STP root, you can configure any unicast MAC address, but the same MAC address must be configured on all VTEPs in the VXLAN tunnel. If there are different MAC addresses configured on the VTEPs, there will be an “ERROR: virtual-root enable, not root!” listed on the Switch > STP > Instances page.

The VTEPs must meet one of the following requirements to become an STP virtual root:

  • Run IEEE 802.1s multiple Spanning Tree Protocol (MSTP) and belong to a Common and Internal Spanning Tree (CIST).

  • Run IEEE 802.1s MSTP and are in the same MSTP region.

  • Run IEEE 802.1D Spanning Tree Protocol (STP).

  • Run IEEE 802.1w Rapid Spanning Tree Protocol (RSTP).

  • Support interoperation with per-VLAN Rapid Spanning Tree (RPVST) with their roots within FortiSwitch units.

note icon If you are using an SVI that is associated with one or more VLANs on the network side, Fortinet recommends locating the network-side VLAN and the access-side VLAN on different STP instances.

To create the STP virtual root, configure the following commands on all VTEPs in a VXLAN tunnel:

config switch global

set vxlan-stp-virtual-root enable

set vxlan-stp-virtual-mac <MAC_address>

end