Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
motscmario
New Contributor

Fortigate 300C network problem

Hello!

 

I have two Fortigate 300C devices in two buildings. The connection is a layer 3 connection with static routes, as shown in the uploaded picture. The connection between the two Fortigates is configured on port 2. Also on Port 2 there is a tunnel interface with an IP address. The routing configuration between the Fortigates is static routing. On port 1 on both Fortigates is the connection to the local network of both buildings (connection to the main switches of the buildings).

 

Now I want to transport a second network from the Fortigate 1 over Port 2 to the Fortigate 2 device. This second network is connected on port 3 on the device Fortigate 1. The port on the Switch pointing to the Fortigate 1 is tagged, with one VLAN (VLAN ID 20). I want to transport this VLAN 20 tagged from port 3 (Fortigate 1) over the Port 2 to the other device Fortigate 2 and connect a switch on Port 3 on Fortigate 2. This switch will add this tagged VLAN 20 on his uplink port and then the other Ports will be untagged.

 

How can I configure the Fortigates, that the Layer 2 network will be transported over the Layer 3 network? I've tried to create a vlan subinterface on port 2 and then created a software switch, combing the vlan and the port 3, but it sadly didn't work.

 

I look forward to your reactions.

Mario

1 Solution
brycemd
Contributor II

So, you want both fortigates to have the same layer2 network for this vlan20? What you are describing is a VXLAN.

 

To my knowledge this requires FortiOS 5.4:

http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614

 

View solution in original post

5 REPLIES 5
brycemd
Contributor II

So, you want both fortigates to have the same layer2 network for this vlan20? What you are describing is a VXLAN.

 

To my knowledge this requires FortiOS 5.4:

http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614

 

motscmario

Exactly.

But also the other layer 3 network over the tunnel.

I will try to configure it, after the firmware upgrade.

 

Thank you!

motscmario

Hello!

So if I got it right, I have to create a second tunnel (ipsec) and bind it to the port2?

(then the existing wan tunnel and the new vxlan ipsec tunnel will be transportet over port2)

I've created a new image, how it should look like in the end.

MikePruett

You will create a VXTunnel and bind it to the software switch of the networks you want to bridge over.

 

For instance,

 

FGT1 has 192.168.1.0/24 on Port 1

FGT2 has 192.168.1.0/24 on Port 2

 

FGT1 make VXLAN tunnel and attach it via software switch to port 1 (so they bridge and broadcast across)

FGT2 make VXLAN tunnel and attach it via software switch to port 2 (so they bridge and broadcast across)

 

That single VLAN is then bridged across both gates so you can have the same local subnet on both sides.

Mike Pruett Fortinet GURU | Fortinet Training Videos
motscmario

Hello!

I solved my problem.

 

First I created a new VLAN named "test_vlan" and bound it to port2.

When I opened the drop down menu of port2, there was shown the tunnel interface and the "test_vlan".

Than I changed the status of port3 to "up".

I created a software switch named "software_switch" and added port3 and "test_vlan".

After that, port3 and the VLAN interface of port2 disappeared and were shown under the interface "software_switch"

 

I made the same configuration on the second Fortigate 300C.

 

On both sides on port3, I connected a switch, which have a Port untagged to the same VLAN, also named "test_vlan"

and also having the same VLAN id. I configured another Port to the same VLAN on the destination switch, for testing the connection and - it worked!

Top Kudoed Authors