Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarushka
Staff
Staff

Created on ‎10-02-2019 01:35 AM

Article Id 198763

Technical Tip: How to configure native VXLAN without encryption

Description
This article explains how to configure native VXLAN without encryption.

Solution
FortiGate A

Configure vxlan. It is necessary to specify WAN interface, VNI and WAN IP address of the remote site.
#config system vxlan
    edit "name_1"
        set interface "port1"
        set vni 100
        set remote-ip "10.5.25.81"
    next
end
It is necessary to configure softswitch and put LAN and VXLAN interfaces as members.
#config system switch-interface
    edit "name_2"
        set vdom "root"
        set member "name_1" "port2"
    next
end
Note: VXLAN interface below will be created automatically

    #edit "name_1"
        set vdom "root"
        set type vxlan
        set snmp-index 12
        set interface "port1"
    next
FortiGate B

Configure vxlan. It is necessary to specify WAN interface, VNI and WAN IP address of the remote site.
#config system vxlan
    edit "name_1"
        set interface "port1"
        set vni 100
        set remote-ip "10.5.21.41"
    next
end
It is necessary to configure softswitch and put LAN and VXLAN interfaces as members.
#config system switch-interface
    edit "name_2"
        set vdom "root"
        set member "name_1" "port2"
    next
end
Note: VXLAN interface below will be created automatically.
    #edit "name_1"
        set vdom "root"
        set type vxlan
        set snmp-index 12
        set interface "port1"
    next
Verify connectivity using sniffer:
FortiGate A # diagnose sniffer packet any 'icmp and host 10.0.0.1 and host 10.0.0.2' 4 0 a
interfaces=[any]
filters=[icmp and host 10.0.0.1 and host 10.0.0.2]
2019-10-01 12:31:33.914921 port2 in 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.914935 name_1 out 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.917174 name_1 in 10.0.0.2 -> 10.0.0.1: icmp: echo reply
2019-10-01 12:31:33.917178 port2 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply

FortiGate B # diagnose sniffer packet any 'icmp and host 10.0.0.1 and host 10.0.0.2' 4 0 a
interfaces=[any]
filters=[icmp and host 10.0.0.1 and host 10.0.0.2]
2019-10-01 12:31:33.862877 name_1 in 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.862896 port2 out 10.0.0.1 -> 10.0.0.2: icmp: echo request
2019-10-01 12:31:33.864564 port2 in 10.0.0.2 -> 10.0.0.1: icmp: echo reply
2019-10-01 12:31:33.864579 name_1 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply
Note: Traffic traversing softswitch cannot be offloaded to network processor. Therefore, higher CPU usage might be expected.
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/acceleratio... (“Software switch interfaces and NP processors” section)

4462
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.