|
The following infrastructure diagram consists of 3 VLANs (10, 20 and 30) in the WEST side and 2x VLANs (10 and 20) in the EAST side.
The objective is to enable Layer 2 traffic between both sites using a single VNI.
For this purpose, the VLAN tag will be encapsulated inside the VXLAN.
This scenario is applicable when Layer 2 traffic from multiple customer VLANs must be supported, with a dedicated VNI for each customer.
Note: connection between switches and FortiGate are in trunk mode.
There are two ways of doing this:
- Encapsulate each VLAN interface tag in the VXLAN.
| FGT_WEST |
FGT_EAST |
|
config system interface
edit "wan"
set vdom "root"
set ip 11.11.11.11 255.255.255.0
set allowaccess ping
set type physical
next
edit "Lo1"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping https http
set type loopback
next
edit "vlan10"
set vdom "root"
set role lan
set interface "port2"
set vlanid 10
next
edit "vxlan10"
set vdom "root"
set role lan
set interface "vxlan" <----- VXLAN interface.
set vlanid 10 <----- Tagging in VXLAN.
next
edit "vlan20"
set vdom "root"
set role lan
set interface "port2"
set vlanid 20
next
edit "vxlan20"
set vdom "root"
set role lan
set interface "vxlan" <----- VXLAN interface.
set vlanid 20 <----- Tagging in VXLAN.
next
end
config system vxlan
edit "vxlan"
set interface "Lo1"
set vni 100
set remote-ip "2.2.2.2"
next
end
config system switch-interface
edit "sw"
set vdom "root"
set member "vlan10" "vxlan10"
next
edit "sw1"
set vdom "root"
set member "vlan20" "vxlan20"
next
end
config firewall policy
edit 1
set srcintf "Lo1"
set dstintf "VPN_toEAST"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 2
set srcintf "VPN_toEAST"
set dstintf "Lo1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
config router static
edit 2
set dst 2.2.2.2 255.255.255.255
set device "VPN_toEAST"
next
end
|
config system interface
edit "wan"
set vdom "root"
set ip 22.22.22.22 255.255.255.0
set allowaccess ping
set type physical
next
edit "Lo1"
set vdom "root"
set ip 2.2.2.2 255.255.255.255
set allowaccess ping https http
set type loopback
next
edit "vlan10"
set vdom "root"
set role lan
set interface "port2"
set vlanid 10
next
edit "vxlan10"
set vdom "root"
set role lan
set interface "vxlan" <----- VXLAN interface.
set vlanid 10 <----- Tagging in VXLAN.
next
edit "vlan20"
set vdom "root"
set role lan
set interface "port2"
set vlanid 20
next
edit "vxlan20"
set vdom "root"
set role lan
set interface "vxlan" <----- VXLAN interface.
set vlanid 20 <----- Tagging in VXLAN.
next
end
config system vxlan
edit "vxlan"
set interface "Lo1"
set vni 100
set remote-ip "1.1.1.1"
next
end
config system switch-interface
edit "sw"
set vdom "root"
set member "vlan10" "vxlan10"
next
edit "sw1"
set vdom "root"
set member "vlan20" "vxlan20"
next
end
config firewall policy
edit 1
set srcintf "Lo1"
set dstintf "VPN_toWEST"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 2
set srcintf "VPN_toWEST"
set dstintf "Lo1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
config router static
edit 2
set dst 1.1.1.1 255.255.255.255
set device "VPN_toWEST"
next
end
|
Note: the IPsec config is omitted because it is a simple IPsec tunnel site to site, no specific configuration is needed.
In this config example, after creating the VXLAN, new VLAN interfaces should be created (vxlan10 and vxlan20), they should use the 'vxlan' interface as a parent interface instead of the physical FortiGate interface - tagged with the corresponding VLAN ID.
This will ensure that the Layer 2 traffic will be tagged and encapsulated by the VXLAN to the remote site.
After that, these interfaces should be used in a software-switch, one per vlan-vlanx pair.
The final result will be Layer 2 traffic (tagged) from multiple VLANs using the same VNI.
The following is a packet capture taken on-wire, after the frame egressed from the FGT_WEST WAN interface.
ESP traffic was decrypted, and this is the result of a ping from 192.168.120.1 to 192.168.120.2:
ICMP (echo request) will be tagged using VLAN ID 10 and encapsulated by the VXLAN with VNI 100.
This traffic is then encapsulated by ESP and flows to the remote site which is decapsulated in the reverse order.
- Encapsulate the FortiGate physical interface (trunk) in the VXLAN.
| FGT_WEST |
FGT_EAST |
|
config system interface
edit "wan"
set vdom "root"
set ip 11.11.11.11 255.255.255.0
set allowaccess ping
set type physical
next
edit "Lo1"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set allowaccess ping https http
set type loopback
next
end
config system vxlan
edit "vxlan"
set interface "Lo1"
set vni 100
set remote-ip "2.2.2.2"
next
end
config system switch-interface
edit "sw"
set vdom "root"
set member "port2" "vxlan"
next
end
config firewall policy
edit 1
set srcintf "Lo1"
set dstintf "VPN_toEAST"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 2
set srcintf "VPN_toEAST"
set dstintf "Lo1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
config router static
edit 2
set dst 2.2.2.2 255.255.255.255
set device "VPN_toEAST"
next
end
|
config system interface
edit "wan"
set vdom "root"
set ip 22.22.22.22 255.255.255.0
set allowaccess ping
set type physical
next
edit "Lo1"
set vdom "root"
set ip 2.2.2.2 255.255.255.255
set allowaccess ping https http
set type loopback
next
end
config system vxlan
edit "vxlan"
set interface "Lo1"
set vni 100
set remote-ip "1.1.1.1"
next
end
config system switch-interface
edit "sw"
set vdom "root"
set member "port2" "vxlan"
next
end
config firewall policy
edit 1
set srcintf "Lo1"
set dstintf "VPN_toWEST"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 2
set srcintf "VPN_toWEST"
set dstintf "Lo1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
config router static
edit 2
set dst 1.1.1.1 255.255.255.255
set device "VPN_toWEST"
next
end
|
Note: the IPsec config is omitted because it is a simple IPsec tunnel site to site, no specific configuration is needed.
In this second method, there will be no VLAN interfaces created in the FortiGate.
Instead of creating all the VLAN interfaces using the physical interface and the vxlan interface, the physical port (port2) will be added to the software-switch.
Since the connection from switch to FortiGate is configured in trunk mode, all the VLANs in the trunk will carry the VLAN tag and FortiGate will encapsulate as is into the VXLAN.
This method requires less configuration, however, FortiGate will encapsulate into the VXLAN all the tagged traffic received, even if the other side will not have the VLAN (in this example, VLAN 30).
Here is a pcap taken on-wire, after frame egressed from FGT_WEST wan interface.
ESP traffic was decrypted and this is the result of a ARP request from 192.168.130.1 to 192.168.130.2 (non existing machine):
ARP request from VLAN 30 will reach FortiGate port2 and this traffic will be encapsulated by the VXLAN with VNI 100.
This traffic is then encapsulated by ESP and flows to the remote site which is decapsulated in the reverse order.
However, the remote site does not have VLAN 30, so VXLAN traffic is flowing for non-existing VLANs in the remote side.
Trunk on the switches should be adjusted to permit only the necessary VLANs to prevent unnecessary VXLAN traffic when this method is used.
Related documents:
Technical Tip: How to setup a VXLAN over IPsec deployment
VLAN Inside VXLAN
|
