Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
5q46n2te8jPWJY
Contributor

Created on ‎11-21-2024 03:56 AM Edited on ‎11-21-2024 03:59 AM

VXLAN over IPSEC - ARP Table Issue on Inter-VLAN Communication

Hello,

 

I’ve set up two sites connected via VXLAN over IPSEC, and everything is functioning as expected.

 

VXLAN Fortigate support forti vlan 10-20.drawio.png

 

However, I’ve noticed an issue with ARP behavior under specific conditions:

 

  • From Site A, when I connect from another VLAN (e.g., VLAN 30) to a virtual machine in VLAN 10 or VLAN 20 on Site B, I observe a change in the ARP table on the device in Site B.

Example:

 

  • I check the ARP table of PC B20 (a device in VLAN 20 on Site B).
    • The MAC address for 10.112.20.254 (router’s IP) initially shows 00:09:0f:09:00:00 (MAC address of the FortiGate on Site B).
  • When I connect from PC A30 (a device in VLAN 30 on Site A) to PC B20, and I re-check the ARP table on PC B20, the MAC address for 10.112.20.254 changes to 00:09:0f:09:02:00 (MAC address of the FortiGate on Site A).

This unexpected behavior raises concerns about network stability and could impact communication.

 

Has anyone encountered a similar issue, or does anyone have insights on why the ARP entry changes in this way? Could this be related to VXLAN or routing settings?

 

Thanks in advance for your help!

Labels:
66
0 Kudos
4 REPLIES 4
tachen
New Contributor II

Created on ‎11-21-2024 04:41 AM

Happy to see you again since from your last similar topic.

 

However since you have duplicated gateway IP address in same broadcast domain bridged by a single VXLAN instance, an uncontrolled ARP flooding without addition control plane helping will cause the collision and flapping.

 

I got what you want and I believe what you need is distributed anycast gateway and IRB (Integrated Routing and Bridging) of EVPN which FortiOS 7.4.5 not support yet.

47
5q46n2te8jPWJY
Contributor

Created on ‎11-21-2024 05:12 AM

Thanks,

 

Can you tell me more about that ? Do you have documentation ? Wich version of FortiOS support it ?

34
0 Kudos
tachen
New Contributor II
In response to 5q46n2te8jPWJY

Created on ‎11-21-2024 06:31 AM

No current FortiOS version support this time, so there's no official documentation. Confirm supported RFCs and MP-BGP EVPN features: 

https://docs.fortinet.com/document/fortigate/7.6.0/supported-rfcs/939093/supported-rfcs 

https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/52499/vxlan-with-mp-bgp-evpn 

 

As you haven't implemented MP-BGP EVPN control plane for your VXLAN network, a basic knowledge of VXLAN with MP-BGP EVPN is needed and can be acquired via the second URL above, though this is not enough.

 

For a further regarding anycast gateway and IRB, I advise that Google it and seeking for documents from corresponding vendors such as Cisco.

12
0 Kudos
5q46n2te8jPWJY
Contributor
In response to tachen

Created on ‎11-21-2024 06:54 AM

Thank you, is there a way to achieve my configuration as I want it?

4
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.