Did anyone make below set up work successfully with 6.2.3? I'm just testing with relatively simple set up: FG50E -- FG30E direct connection and trying to connect vlan 100 network on both ends. Likely my test environment is causing some issues. But once I drop the vlan subinterface and use it's parent interface without vlan tag, it just works end to end. Sniffing shows ARP requests arrive at local vlan100 subinterface, but never goes over to the other side.
https://docs.fortinet.com...4150/vlan-inside-vxlan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm considering abandoning the attempt and moving to a linux-based vxlan bridge downstream of the Fortigate. The issue on the Fortigate side is it forces you into software switch, physical port, etc. so you lose physical redundancy, port aggregation, and throughput is going to be severely limited by fowarding on the CPU. Their vxlan implementation seems to be a sloppy afterthought. If you have something else doing the encapsulation that can do it efficiently, and the Fortigate sticks to ipsec in hardware (plus lacp and HA), you can get the thoughput and redundancy back.
Hi Toshi,
Did you get any further with this? I've been wanting to test this as well, but don't have a second lab FortiGate and would like to hear a success story before I test this on production over IPsec.
So far I haven't figured out a way for this 6.2 new feature (to me the whole reason to have VXLAN) to work, while 6.0 supported part works fine. That's why I posted the question if anyone had made it work. I'm feeling the description in Cookbook is missing something important. If no reply from others, I will need to move my current test environment to another FGT that has a support then open a ticket at TAC to get help.
Toshi
When you do 'diag sniffer packet < vxlan interface > ' what do you see when traffic is being generated? in or out ?
Ken Felix
PCNSE
NSE
StrongSwan
Last time when I sniffed it I did it with the main vxlan interface instead of its vlan subinterface and saw nothing. I might have needed to sniff at the subinterface. Once I moved the environment, I'll try that too.
Yes do the subinterface and generate traffic from A -to Z and then Z to A directions and see if you get any packets.
We started using linux for our vxlan transport. The performance is much better.
ken
PCNSE
NSE
StrongSwan
All right. It works now after I moved one side to FG60E. Since I reconfigured FG30E side from scratch, I don't know what I misconfigured. But likely I put the parent vxlan interface into the soft-switch interface while I was supposed to put the vlan sub-interface into it, or something like that kind of a simple mistake or two...
I'm using multivdom environment on one side and two physical switches (Cisco and Juniper) are involved to convert untagged to/from tagged on both sides, it complicated the cabling too, which might have confused myself.
I was surprised to see only internal (overlay) packets when I sniffed on the tagged vxlan sub-interface. But this might make sense if the outer (underlay) UDP header is added/stripped in-between the vxlan sub-interface and the physical ougoing port.
I'll proceed to "VLAN inside VXLAN over IPSec" like tanr has been planning.
Toshi
Hi Toshi
I created a sample configuration example for VLAN in VXLAN over IPsec.
If you need help with the manual please let me know.
Cheers,
scan
Thanks scan,
Hi all, I could use that sample config if you all have it available, or any guidance. I'm also attempting vlan in vxlan across ipsec.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1072 | |
751 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.