- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 300C network problem
Hello!
I have two Fortigate 300C devices in two buildings. The connection is a layer 3 connection with static routes, as shown in the uploaded picture. The connection between the two Fortigates is configured on port 2. Also on Port 2 there is a tunnel interface with an IP address. The routing configuration between the Fortigates is static routing. On port 1 on both Fortigates is the connection to the local network of both buildings (connection to the main switches of the buildings).
Now I want to transport a second network from the Fortigate 1 over Port 2 to the Fortigate 2 device. This second network is connected on port 3 on the device Fortigate 1. The port on the Switch pointing to the Fortigate 1 is tagged, with one VLAN (VLAN ID 20). I want to transport this VLAN 20 tagged from port 3 (Fortigate 1) over the Port 2 to the other device Fortigate 2 and connect a switch on Port 3 on Fortigate 2. This switch will add this tagged VLAN 20 on his uplink port and then the other Ports will be untagged.
How can I configure the Fortigates, that the Layer 2 network will be transported over the Layer 3 network? I've tried to create a vlan subinterface on port 2 and then created a software switch, combing the vlan and the port 3, but it sadly didn't work.
I look forward to your reactions.
Mario
Solved! Go to Solution.
- Labels:
-
5.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, you want both fortigates to have the same layer2 network for this vlan20? What you are describing is a VXLAN.
To my knowledge this requires FortiOS 5.4:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, you want both fortigates to have the same layer2 network for this vlan20? What you are describing is a VXLAN.
To my knowledge this requires FortiOS 5.4:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly.
But also the other layer 3 network over the tunnel.
I will try to configure it, after the firmware upgrade.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
So if I got it right, I have to create a second tunnel (ipsec) and bind it to the port2?
(then the existing wan tunnel and the new vxlan ipsec tunnel will be transportet over port2)
I've created a new image, how it should look like in the end.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will create a VXTunnel and bind it to the software switch of the networks you want to bridge over.
For instance,
FGT1 has 192.168.1.0/24 on Port 1
FGT2 has 192.168.1.0/24 on Port 2
FGT1 make VXLAN tunnel and attach it via software switch to port 1 (so they bridge and broadcast across)
FGT2 make VXLAN tunnel and attach it via software switch to port 2 (so they bridge and broadcast across)
That single VLAN is then bridged across both gates so you can have the same local subnet on both sides.
Mike Pruett
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I solved my problem.
First I created a new VLAN named "test_vlan" and bound it to port2.
When I opened the drop down menu of port2, there was shown the tunnel interface and the "test_vlan".
Than I changed the status of port3 to "up".
I created a software switch named "software_switch" and added port3 and "test_vlan".
After that, port3 and the VLAN interface of port2 disappeared and were shown under the interface "software_switch"
I made the same configuration on the second Fortigate 300C.
On both sides on port3, I connected a switch, which have a Port untagged to the same VLAN, also named "test_vlan"
and also having the same VLAN id. I configured another Port to the same VLAN on the destination switch, for testing the connection and - it worked!