Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Toshi_Esumi
Esteemed Contributor III

VLAN inside VXLAN with 6.2.3

Did anyone make below set up work successfully with 6.2.3? I'm just testing with relatively simple set up: FG50E -- FG30E direct connection and trying to connect vlan 100 network on both ends. Likely my test environment is causing some issues. But once I drop the vlan subinterface and use it's parent interface without vlan tag, it just works end to end. Sniffing shows ARP requests arrive at local vlan100 subinterface, but never goes over to the other side.

https://docs.fortinet.com...4150/vlan-inside-vxlan

 

 

 

1 Solution
ispcolohost

I'm considering abandoning the attempt and moving to a linux-based vxlan bridge downstream of the Fortigate.  The issue on the Fortigate side is it forces you into software switch, physical port, etc. so you lose physical redundancy, port aggregation, and throughput is going to be severely limited by fowarding on the CPU.  Their vxlan implementation seems to be a sloppy afterthought.  If you have something else doing the encapsulation that can do it efficiently, and the Fortigate sticks to ipsec in hardware (plus lacp and HA), you can get the thoughput and redundancy back.

View solution in original post

12 REPLIES 12
steveballantyne

I would also like to see a working example. I have had a case open with support for a week or so, with no response. And I am under the gun to get this working. I have a successful IPSec tunnel, and traffic is passing from my remote FortiGate to my Palo Alto at the main HQ. But traffic is not flowing back through the FortiGate side correctly. Palo Alto support says it's the issue is on the FortiGate side.

 

If I could see a complete working configuration, that would really help. To further complicate my situation, I am also trying to do multiple VLANs.

ispcolohost

I'm considering abandoning the attempt and moving to a linux-based vxlan bridge downstream of the Fortigate.  The issue on the Fortigate side is it forces you into software switch, physical port, etc. so you lose physical redundancy, port aggregation, and throughput is going to be severely limited by fowarding on the CPU.  Their vxlan implementation seems to be a sloppy afterthought.  If you have something else doing the encapsulation that can do it efficiently, and the Fortigate sticks to ipsec in hardware (plus lacp and HA), you can get the thoughput and redundancy back.

steveballantyne

ispcolohost wrote:

I'm considering abandoning the attempt and moving to a linux-based vxlan bridge downstream of the Fortigate. 

That is not a bad idea! That leaves me with another device that I have to secure and keep updated. But there are plenty of thin distros out there that could do it.

 

ispcolohost wrote:

The issue on the Fortigate side is it forces you into software switch, physical port, etc. so you lose physical redundancy, port aggregation, and throughput is going to be severely limited by fowarding on the CPU.  Their vxlan implementation seems to be a sloppy afterthought.

I was thinking the same thing. There seems to be a weird breakdown on the return path through the three soft-switches that I had to create to make this all possible. Not to mention, none of the KB's really give a play-by-play to make any of this work. I don't typically stray into the CLI of a FortiGate. And the first KB that I pulled up on the topic of VXLAN was with using ports that are part of the LAN soft-switch, with no instructions on removing ports from the built in soft-switch.

 

While it may be possible to do some of this from the web GUI, there are certain elements such as multiple VLAN's on a single VXLAN VNI which are only supported in the CLI. Weird.

Top Kudoed Authors