Technical Note: Virtual Extensible LAN (VXLAN) configuration on FortiGate

athirat · ‎01-30-2019

Description
VXLAN encapsulates OSI layer 2 Ethernet frames within layer 3 IP packets using standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels can be virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs).

Solution
Scenario 1 : Unicast VXLAN Example 1 (Performance Test Scenario)

LAN1---(dmz)FGT1(vx1)(wan1 : 1.1.1.1)----Internet----(wan2 : 2.2.2.2)(vx2)FGT2(dmz)---LAN2

FGT1 Configuration

config system vxlan                     // Create a VXLAN interface vx1
    edit "vx1"
        set interface "wan1"                // Set local outgoing interface to "wan1"
        set vni 1000
        set remote-ip 2.2.2.2               // Set remote-ip to FGT2-wan2 IP
    next
end
config system interface                 // Set VTEP vx1 IP
    edit "vx1"
        set ip 1.1.2.1 255.255.255.0
    next
end

- Add firewall policies between VXLAN interface (e.g. vx1) and LAN interface (e.g. dmz)
- Add static route to VXLAN interface

FGT2 Configuration

config system vxlan                     // Create a VXLAN interface vx2
     edit "vx2"
    set interface "wan2"                // Set local outgoing interface to "wan2"
      set vni 1000
        set remote-ip 1.1.1.1               // Set remote-ip to FGT1-wan1 IP
     next
end
config system interface                 // Set VTEP vx2 IP
     edit "vx2"
        set ip 1.1.2.2 255.255.255.0
     next
end

Note: Add policies and route on this site as well

Scenario 2 : Unicast VXLAN Example 2 (Layer 2 Scenario)

LAN---(dmz)FGT1(vx1)(wan1 : 1.1.1.1)----Internet----(wan2 : 2.2.2.2)(vx2)FGT2(dmz)---LAN

FGT1 Configuration

1. Configure VXLAN :

    config system vxlan
        edit vx1
          set interface wan1
            set vni 1000
            set remote-ip 2.2.2.2
      end

2. Bridge the traffic from incoming vlan interface and vxlan :

    config system switch-interface
       edit "sw1"
           set member "vx1" "dmz"            // Let vx1 join the switch interface sw1
           set intra-switch-policy explicit // (optional) mandates firewall policy lookup for bridged traffic
        next

3. If "intra-switch-policy" has been set as explicit, add the firewall policies:

From port2 to FGT1-vx1
From FGT1-vx1 to port2

4. Create a similar configuration on FGT2.

Scenario 3 : Multicast VXLAN Example

    Private_Network1---(dmz)FGT1(vx1)(port1)----+----(port2)(vx2)FGT2(dmz)---Private_Network2
                                                |
    Private_Network3---(dmz)FGT3(vx3)(port3)----+----(port4)(vx4)FGT4(dmz)---Private_Network4
                                                |
                                                :
                                                |
    Private_NetworkA---(dmz)FGTA(vxA)(portA)----+----(portB)(vxB)FGTB(dmz)---Private_NetworkB

    Multicast Group: 225.0.0.1

FGT(n) Configuration:

    config system vxlan // Create a VXLAN interface vx(n)
        edit "vx(n)"
        set interface "port(n)" // Set local outgoing interface to "port(n)"
        set vni 2000
        set remote-ip 225.0.0.1 // Set remote-ip to multicast group
        next
    end
    config system interface // Set VTEP IP
        edit "vx(n)"
        set ip 1.1.(n).1 255.255.255.0
        next
    end

- Other FGT Configurations
- Add firewall policies between VXLAN interface (e.g. vx1) and LAN interface (e.g. dmz)
- Add static route to VXLAN interface

Related links :
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-whats-new/Top-Network-vxlan.htm