Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

SulaAl_D
New Contributor

VXLAN with Multiple Subnets

Hi,

i have a setup for a Customer comprising of two Sites

Site A : HQ
Site B : DR

we are planning to use VXLAN over IPSec VPN to Extend few subnets to DR. 

Subnets 192.168.1.x/24 and 192.168.12.x/24 has to be extended using VXLAN. i have tested VXLAN without using IPSec VPN in my Lab, and i was able to Extend VLANs 192.168.1.x and 192.168.12.x

but not im not able to use IPsec Interface in this configuration, since that we can't use the VXLAN Interface on both soft switches.

in addition VLAN 192.168.100.x/24 must communicate with HQ VLANs also.

this is my configuration for of VXLAN on both Firewalls
HQ
config system interface
edit "port3"
set vdom "root"
set ip 172.16.16.97 255.255.255.248
set allowaccess ping
set type physical
set alias "WAN-DR"
set role wan
set snmp-index 3

edit "VXLAN90-SW"
set vdom "root"
set ip 192.168.1.2 255.255.255.0
set allowaccess ping https ssh http
set broadcast-forward enable
set l2forward enable
set type switch
set snmp-index 14
next

edit "VXLAN12-SW"
set vdom "root"
set ip 192.168.12.100 255.255.255.0
set allowaccess ping https ssh
set broadcast-forward enable
set l2forward enable
set type switch
set device-identification enable
set role lan
set snmp-index 15
next

config system vxlan
edit "VXLAN90"
set interface "port3"
set vni 90
set remote-ip "172.16.16.98"
next
edit "VXLAN12"
set interface "port3"
set vni 12
set remote-ip "172.16.16.98"
next
end

and on DR
config system interface
edit "port2"
set vdom "root"
set ip 172.16.16.98 255.255.255.248
set allowaccess ping https
set type physical
set alias "WAN-HQ"
set role wan
set snmp-index 2
next
edit "port3"
set vdom "root"
set type physical
set alias "VL90"
set role lan
set snmp-index 3

edit "VXLAN12-SW"
set vdom "root"
set ip 192.168.12.101 255.255.255.0
set allowaccess ping https ssh http
set broadcast-forward enable
set l2forward enable
set type switch
set snmp-index 15
next

edit "VXLAN90-SW"
set vdom "root"
set ip 192.168.1.102 255.255.255.0
set allowaccess ping https ssh http
set broadcast-forward enable
set l2forward enable
set type switch
set snmp-index 14

config system vxlan
edit "VXLAN90"
set interface "port2"
set vni 90
set remote-ip "172.16.16.97"
next
edit "VXLAN12"
set interface "port2"
set vni 12
set remote-ip "172.16.16.97"

my question is such setup supported on FortiGate? 

UhXjTQQ4T96p7imzmbcf_vxlan.png
2 REPLIES 2
ManuAqui
New Contributor

Hi, did you manage to find a solution to this? I need to have a vxlan setup with more than one VLAN. but not having any luck !

Caesthor
New Contributor

Hello ! 

I set it up on my home lab between two FGT 60E connected in IPSec.

I have two VLANs. 


I followed this article. That's working fine for me 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-...

 

Good luck ;)

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.