Hello,
I’ve set up two sites connected via VXLAN over IPSEC, and everything is functioning as expected.
However, I’ve noticed an issue with ARP behavior under specific conditions:
Example:
This unexpected behavior raises concerns about network stability and could impact communication.
Has anyone encountered a similar issue, or does anyone have insights on why the ARP entry changes in this way? Could this be related to VXLAN or routing settings?
Thanks in advance for your help!
Happy to see you again since from your last similar topic.
However since you have duplicated gateway IP address in same broadcast domain bridged by a single VXLAN instance, an uncontrolled ARP flooding without addition control plane helping will cause the collision and flapping.
I got what you want and I believe what you need is distributed anycast gateway and IRB (Integrated Routing and Bridging) of EVPN which FortiOS 7.4.5 not support yet.
Thanks,
Can you tell me more about that ? Do you have documentation ? Wich version of FortiOS support it ?
No current FortiOS version support this time, so there's no official documentation. Confirm supported RFCs and MP-BGP EVPN features:
https://docs.fortinet.com/document/fortigate/7.6.0/supported-rfcs/939093/supported-rfcs
https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/52499/vxlan-with-mp-bgp-evpn
As you haven't implemented MP-BGP EVPN control plane for your VXLAN network, a basic knowledge of VXLAN with MP-BGP EVPN is needed and can be acquired via the second URL above, though this is not enough.
For a further regarding anycast gateway and IRB, I advise that Google it and seeking for documents from corresponding vendors such as Cisco.
Thank you, is there a way to achieve my configuration as I want it?
Unfortunately I have no idea since not only because of feature limitations but this topology often leads an asymmetric routing which breaks stateful firewalling (stateful packet inspection and policy evaluation performed by FortiGate). So a simple VXLAN fabric with stateful firewall integrated usually combines physical firewalls using session-synced HA like FGCP/FGSP or definitely primary/backup like VRRP, and offloads VTEP function and optional anycast gateway function to switches. Want inter-VLAN traffic control instead of directly switched by L3 switches while utilizing anycast gateway? Use VRF on switches and leak wanted E-W traffic to FortiGate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.