Skip to main content
Cajuntank
Cajuntank
Contributor III
November 22, 2024
Solved

VXLAN discussion/design questions?

  • November 22, 2024
  • 2 replies
  • 1840 views

This is my first foray into the need for VXLAN and have some questions. My current site has a L3 Aruba switch, which handles my internal VLANs, an egress VLAN connecting to my FortiGate which connects to both a private WAN circuit to my data center (which in turn, provides Internet) and a backup Internet circuit for Internet failover and the IPSEC VPN spoke to hub (data center).

 

Bought new building that we will be moving to, so want to implement VXLAN so I can use the same VLANs and subnets for all the new equipment going in so when we do actually move, it will be an easier transition. So the VXLAN config will be a temporary situation (no more than 6 months is my guess).

 

From a design perspective, my idea is to implement the same low cost Internet "backup" at the new site, but it will be the main Internet connection until time gets closer for the move to add the higher dollar private WAN circuit as the primary. I will establish a IPSEC VPN connection between the two sites directly (so not even going to attempt to go through data center). I have looked at the config example of what I have to do at the Aruba level for VXLAN, but my question is, since the VLANs are all hanging off the of the Aruba L3 switch, is there even the need to also do any kind of VXLAN on the FortiGate?

Best answer by ebilcari

If this will involve only two sites and the Aruba switches can handle VXLAN and work as VTEPs, the FGT don't have to participate. FGT will only see it as a UDP traffic on port 4789.

The only part that needs careful planning is the MTU, since you are planning to also have IPSec you will need a bigger MTU (1600) if the ISP allows it. You can also refer to this old discussion here.

2 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
November 25, 2024

Hello Cajuntank, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
ebilcari
Staff
ebilcariAnswer
Staff
November 26, 2024

If this will involve only two sites and the Aruba switches can handle VXLAN and work as VTEPs, the FGT don't have to participate. FGT will only see it as a UDP traffic on port 4789.

The only part that needs careful planning is the MTU, since you are planning to also have IPSec you will need a bigger MTU (1600) if the ISP allows it. You can also refer to this old discussion here.

Emirjon
    Cajuntank
    CajuntankAuthor
    Contributor III
    November 26, 2024

    That was my gut thought reaction, but wanted to run it by someone to make sure or see if maybe I was just missing something as again, this will be my first VXLAN config need. I doubt I will have any kind of ability to adjust the MTU on the ISP side of things, but I will ask to see if possible. Thank you.

    Terms & ConditionsAccessibility statement