Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.4.4 FortiLink Guide
    7.4.4
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Managing FortiSwitch units on VXLAN interfaces

    Managing FortiSwitch units on VXLAN interfaces

    You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device.

    In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

    To manage the FortiSwitch unit with the VXLAN interface:

    1. Configure the FortiSwitch unit.

    2. Configure the FortiGate device.

    Configure the FortiSwitch unit

    1. Configure a VLAN to use as the VXLAN interface.

      config system interface

      edit "vlan-1000"

      set ip 10.200.1.2 255.255.255.0

      set allowaccess ping

      set vlanid 1000

      set interface "internal"

      next

      end

    2. Configure the VXLAN interface with the remote IP address of the FortiGate device.

      config system vxlan

      edit "vx-4094"

      set vni 123456

      set vlanid 4094

      set interface "vlan-1000"

      set remote-ip "10.100.1.1"

      next

      end

    3. Configure a static route with the VXLAN remote IP address as the destination.

      config router static

      edit 1

      set device "vlan-1000"

      set dst 10.100.1.1 255.255.255.255

      set gateway 10.200.1.50

      next

      end

    4. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

      config switch trunk

      edit "__FoRtILnk0L3__"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port19"

      next

      end

    5. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1.

      config switch interface

      edit "__FoRtILnk0L3__"

      set native-vlan 1000

      set allowed-vlans 1,1000,4088-4094

      set dhcp-snooping trusted

      ....

      next

      end

    6. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

      config switch-controller global

      set ac-discovery-type static

      config ac-list

      edit 1

      set ipv4-address 10.255.2.1

      next

      end

      end

    7. Assign VLAN ID 4094 to the “internal” interface, which will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

      config switch interface

      edit "internal"

      set native-vlan 4094

      next

      end

    8. Make certain that the FortiSwitch unit can be discovered by the FortiGate device over VXLAN.

      config switch global

      set auto-fortilink-discovery enable

      end

    Configure the FortiGate device

    1. Configure the system interface.

      config system interface

      edit "port2"

      set vdom "root"

      set ip 10.100.1.1 255.255.255.0

      set allowaccess ping https http

      next

      end

    2. Configure the VXLAN interface.

      config system vxlan

      edit "flk-vxlan"

      set interface "port2"

      set vni 123456

      set remote-ip "10.200.1.2"

      next

      end

    3. Configure the FortiLink interface as the VXLAN type and set the IP address.

      config system interface

      edit "flk-vxlan"

      set fortilink enable

      set ip 10.255.2.1 255.255.255.0

      next

      end

    4. Configure a static route.

      config router static

      edit 0

      set dst 10.200.1.0 255.255.255.0

      set gateway 10.100.1.50

      set distance 5

      set device "port2"

      next

      end

    5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

      config system dhcp server

      edit 0

      set dns-service local

      set ntp-service local

      set default-gateway 10.255.2.1

      set netmask 255.255.255.0

      set interface "flk-vxlan"

      config ip-range

      edit 1

      set start-ip 10.255.2.2

      set end-ip 10.255.2.254

      next

      end

      config options

      edit 1

      set code 138

      set type ip

      set ip "10.255.2.1"

      next

      end

      set vci-match enable

      set vci-string "FortiSwitch"

      next

      end

    FortiSwitch VLANs over VXLAN

    On some FortiSwitch models, you can send user traffic over a VXLAN tunnel, creating a layer-2 overlay over a layer-3 network, allowing Security Fabric functionality to be applied to devices connecting to the FortiSwitch unit.

    In the following configuration example, the FG-1800F device is connected with a VXLAN tunnel to the FS-1048E unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

    1. Configure a VLAN to use as the VXLAN interface.

      config system interface

      edit "vlan-1000"

      set ip 10.200.1.2 255.255.255.0

      set vlanid 1000

      set interface "internal"

      next

      end

    2. Configure a static route with the VXLAN remote IP address as the destination.

      config router static

      edit 1

      set device "vlan-1000"

      set dst 10.100.1.1 255.255.255.255

      set gateway 10.200.1.50

      next

      end

    3. Configure the link monitor to monitor access to the gateway.

      config system link-monitor

      edit "1"

      set srcintf "vlan-1000"

      set protocol ping

      set gateway-ip 10.200.1.50

      set interval 60

      next

      end

    4. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

      config switch trunk

      edit "__FoRtILnk0L3__"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port19"

      next

      end

    5. Configure the FortiLink interface so that the native VLAN matches the VLAN used for the VXLAN defined in step 1.

      config switch interface

      edit "__FoRtILnk0L3__"

      set native-vlan 1000

      next

      end

    6. Assign VLAN ID 4094 to the “internal” interface that will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

      config switch interface

      edit "internal"

      set native-vlan 4094

      next

      end

    7. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

      config switch-controller global

      set ac-discovery-type static

      config ac-list

      edit 1

      set ipv4-address 10.255.2.1

      next

      end

      end

    8. Connect two physical ports to each other as a loopback. In this example, port23 and port24 are connected.

    9. Create two trunks, each trunk with one physical link that is connected as a loopback. In this example, trunk tr1 is created with port23 as a member. Trunk tr2 is created with port24 as a member. port24 forms a loopback with port23.

    10. Configure trunk tr2 as static-isl. Leave the rest of the values at the defaults.

      config switch trunk

      edit "tr2"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port24"

      next

      end

    11. Configure the tr2 interface with a native VLAN of 4094 and the allowed VLANs as 1-4094.

      config switch interface

      edit "tr2"

      set native-vlan 4094

      set allowed-vlans 1-4094

      next

      end

    12. Configure trunk tr1 as static-isl and static-isl-auto-vlan. Leave the rest of the values at the defaults. This trunk will be used in the VXLAN tunnel-loopback interface. port23 forms a loopback with port24.

      config switch trunk

      edit "tr1"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port23"

      next

      end

    13. Configure the tr1 interface with a native VLAN of 4087 and disable STP.

      config switch interface

      edit "tr1"

      set native-vlan 4087

      set stp-state disabled

      next

      end

    14. Configure the VXLAN interface with tr1 as the tunnel-loopback interface. Set the interface to a normal SVI from step 1 to reach the Internet. The remote-ip address is the remote VTEP; in this case, the remote VTEP is the FortiGate interface being used for the VXLAN tunnel.

      With this configuration, all VLAN traffic from the switch, including all FortiSwitch VLANs, will loop to tr1 and initiate the VXLAN tunnel to the FortiGate device.

      config system vxlan

      edit vx1

      set interface vlan-1000

      set vni 4094

      set remote-ip 10.100.1.1

      set tunnel-loopback "tr1"

      next

      end

    Verifying VXLAN management

    Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use the execute switch-controller get-conn-status command to show when the managed FortiSwitch unit is controlled by VXLAN.

    In the following example, the V flag indicates that the managed FortiSwitch unit is controlled by VXLAN:

    FGVMULTM22004064 # execute switch-controller get-conn-status
Managed-devices in current vdom root:

FortiLink interface : vx100
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL
S108DV3A17000071 v7.2.0 (5029) Authorized/Up V 1.2.3.4 Wed Mar 29 17:23:24 2023 S108DV3A17000071



 Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3, V=VXLAN
 Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 300)
    Previous
    Next

    Managing FortiSwitch units on VXLAN interfaces

    Managing FortiSwitch units on VXLAN interfaces

    You can use Virtual Extensible LAN (VXLAN) interfaces to create a layer-2 overlay network when managing a FortiSwitch unit over a layer-3 network. After a VXLAN tunnel is set up between a FortiGate device and a FortiSwitch unit, the FortiGate device can use the VXLAN interface to manage the FortiSwitch unit. Only the management traffic uses the VXLAN tunnel; the FortiSwitch data traffic does not go through the VXLAN tunnel to the FortiGate device.

    In the following configuration example, the FG-500E device is connected with a VXLAN tunnel to the FS-524D unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

    To manage the FortiSwitch unit with the VXLAN interface:

    1. Configure the FortiSwitch unit.

    2. Configure the FortiGate device.

    Configure the FortiSwitch unit

    1. Configure a VLAN to use as the VXLAN interface.

      config system interface

      edit "vlan-1000"

      set ip 10.200.1.2 255.255.255.0

      set allowaccess ping

      set vlanid 1000

      set interface "internal"

      next

      end

    2. Configure the VXLAN interface with the remote IP address of the FortiGate device.

      config system vxlan

      edit "vx-4094"

      set vni 123456

      set vlanid 4094

      set interface "vlan-1000"

      set remote-ip "10.100.1.1"

      next

      end

    3. Configure a static route with the VXLAN remote IP address as the destination.

      config router static

      edit 1

      set device "vlan-1000"

      set dst 10.100.1.1 255.255.255.255

      set gateway 10.200.1.50

      next

      end

    4. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

      config switch trunk

      edit "__FoRtILnk0L3__"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port19"

      next

      end

    5. Configure the FortiLink interface to set the native VLAN to match the VLAN used for the VXLAN defined in step 1.

      config switch interface

      edit "__FoRtILnk0L3__"

      set native-vlan 1000

      set allowed-vlans 1,1000,4088-4094

      set dhcp-snooping trusted

      ....

      next

      end

    6. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

      config switch-controller global

      set ac-discovery-type static

      config ac-list

      edit 1

      set ipv4-address 10.255.2.1

      next

      end

      end

    7. Assign VLAN ID 4094 to the “internal” interface, which will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

      config switch interface

      edit "internal"

      set native-vlan 4094

      next

      end

    8. Make certain that the FortiSwitch unit can be discovered by the FortiGate device over VXLAN.

      config switch global

      set auto-fortilink-discovery enable

      end

    Configure the FortiGate device

    1. Configure the system interface.

      config system interface

      edit "port2"

      set vdom "root"

      set ip 10.100.1.1 255.255.255.0

      set allowaccess ping https http

      next

      end

    2. Configure the VXLAN interface.

      config system vxlan

      edit "flk-vxlan"

      set interface "port2"

      set vni 123456

      set remote-ip "10.200.1.2"

      next

      end

    3. Configure the FortiLink interface as the VXLAN type and set the IP address.

      config system interface

      edit "flk-vxlan"

      set fortilink enable

      set ip 10.255.2.1 255.255.255.0

      next

      end

    4. Configure a static route.

      config router static

      edit 0

      set dst 10.200.1.0 255.255.255.0

      set gateway 10.100.1.50

      set distance 5

      set device "port2"

      next

      end

    5. Configure the DHCP server with option 138 to provide the switch-controller IP address to the FortiSwitch unit. DNS and NTP services are provided by the FortiGate device.

      config system dhcp server

      edit 0

      set dns-service local

      set ntp-service local

      set default-gateway 10.255.2.1

      set netmask 255.255.255.0

      set interface "flk-vxlan"

      config ip-range

      edit 1

      set start-ip 10.255.2.2

      set end-ip 10.255.2.254

      next

      end

      config options

      edit 1

      set code 138

      set type ip

      set ip "10.255.2.1"

      next

      end

      set vci-match enable

      set vci-string "FortiSwitch"

      next

      end

    FortiSwitch VLANs over VXLAN

    On some FortiSwitch models, you can send user traffic over a VXLAN tunnel, creating a layer-2 overlay over a layer-3 network, allowing Security Fabric functionality to be applied to devices connecting to the FortiSwitch unit.

    In the following configuration example, the FG-1800F device is connected with a VXLAN tunnel to the FS-1048E unit. After FortiLink is enabled on the VXLAN interface, the FortiGate device can manage the FortiSwitch unit.

    1. Configure a VLAN to use as the VXLAN interface.

      config system interface

      edit "vlan-1000"

      set ip 10.200.1.2 255.255.255.0

      set vlanid 1000

      set interface "internal"

      next

      end

    2. Configure a static route with the VXLAN remote IP address as the destination.

      config router static

      edit 1

      set device "vlan-1000"

      set dst 10.100.1.1 255.255.255.255

      set gateway 10.200.1.50

      next

      end

    3. Configure the link monitor to monitor access to the gateway.

      config system link-monitor

      edit "1"

      set srcintf "vlan-1000"

      set protocol ping

      set gateway-ip 10.200.1.50

      set interval 60

      next

      end

    4. Configure the switch trunk to make it static and disable the automatic VLAN provisioning.

      config switch trunk

      edit "__FoRtILnk0L3__"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port19"

      next

      end

    5. Configure the FortiLink interface so that the native VLAN matches the VLAN used for the VXLAN defined in step 1.

      config switch interface

      edit "__FoRtILnk0L3__"

      set native-vlan 1000

      next

      end

    6. Assign VLAN ID 4094 to the “internal” interface that will be used to establish the FortiLink connection with the FortiGate device over VXLAN.

      config switch interface

      edit "internal"

      set native-vlan 4094

      next

      end

    7. If you are not using DHCP option 138 to inform the FortiSwitch unit of the FortiGate IP address, enable static discovery.

      config switch-controller global

      set ac-discovery-type static

      config ac-list

      edit 1

      set ipv4-address 10.255.2.1

      next

      end

      end

    8. Connect two physical ports to each other as a loopback. In this example, port23 and port24 are connected.

    9. Create two trunks, each trunk with one physical link that is connected as a loopback. In this example, trunk tr1 is created with port23 as a member. Trunk tr2 is created with port24 as a member. port24 forms a loopback with port23.

    10. Configure trunk tr2 as static-isl. Leave the rest of the values at the defaults.

      config switch trunk

      edit "tr2"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port24"

      next

      end

    11. Configure the tr2 interface with a native VLAN of 4094 and the allowed VLANs as 1-4094.

      config switch interface

      edit "tr2"

      set native-vlan 4094

      set allowed-vlans 1-4094

      next

      end

    12. Configure trunk tr1 as static-isl and static-isl-auto-vlan. Leave the rest of the values at the defaults. This trunk will be used in the VXLAN tunnel-loopback interface. port23 forms a loopback with port24.

      config switch trunk

      edit "tr1"

      set auto-isl 1

      set static-isl enable

      set static-isl-auto-vlan disable

      set members "port23"

      next

      end

    13. Configure the tr1 interface with a native VLAN of 4087 and disable STP.

      config switch interface

      edit "tr1"

      set native-vlan 4087

      set stp-state disabled

      next

      end

    14. Configure the VXLAN interface with tr1 as the tunnel-loopback interface. Set the interface to a normal SVI from step 1 to reach the Internet. The remote-ip address is the remote VTEP; in this case, the remote VTEP is the FortiGate interface being used for the VXLAN tunnel.

      With this configuration, all VLAN traffic from the switch, including all FortiSwitch VLANs, will loop to tr1 and initiate the VXLAN tunnel to the FortiGate device.

      config system vxlan

      edit vx1

      set interface vlan-1000

      set vni 4094

      set remote-ip 10.100.1.1

      set tunnel-loopback "tr1"

      next

      end

    Verifying VXLAN management

    Starting in FortiOS 7.4.0 with FortiSwitchOS 7.4.0, you can use the execute switch-controller get-conn-status command to show when the managed FortiSwitch unit is controlled by VXLAN.

    In the following example, the V flag indicates that the managed FortiSwitch unit is controlled by VXLAN:

    FGVMULTM22004064 # execute switch-controller get-conn-status
Managed-devices in current vdom root:

FortiLink interface : vx100
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL
S108DV3A17000071 v7.2.0 (5029) Authorized/Up V 1.2.3.4 Wed Mar 29 17:23:24 2023 S108DV3A17000071



 Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3, V=VXLAN
 Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 300)
    Previous
    Next