Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VXLAN with sub-interfaces?

We find ourselves in a situation where we need to have a vlan in our datacenter, and then have part of that vlan in our office building as well.   Having two different vlans and just routing traffic is not an option.


We are using our FG 1000C, running 5.6.7 basically as a router on a stick.   We have about 70 vdoms.   Corporate incoming traffic comes in on one port, and then there is one port with a bunch of vdoms assigned to sub interfaces that then connects into our switching fabric.   There is also a path out to the internet through the switching fabric.   


So we have the vlans on our switching fabric for each of the vdoms, and everything between the vdoms hairpins through the trunk back to the 1000C.   Works just fine now.  But now we are splitting the datacenter from our office space.  So I cannot just put a room on a particular vlan by configuring a port on the switching fabric.  


I will need to have that vlan traverse the internet, in an IPSEC tunnel, using VXLAN, and have it come out in our office space on a FG firewall there.  Then that will hook into our switching fabric there.


It seems like it would be pretty easy if we were using physical interfaces.   So put a vlan on an interface by itself, create a virtual switch, put the physical interface, and the IPSEC tunnel on that switch, and that should do it.   But from what I have determined, I cannot add a sub interface instead of a physical interface.  It would be nice if I could because then I could just create a virtual switch, add the sub interface, and the IPSEC tunnel to it, and vlan traffic would go over the IPSEC tunnel, and out the sub interface to the local switching fabric.


Any suggestions on how to maybe get around this?  Am I right in that I cannot use a sub interface, and have to use a physical interface?  When I try to configure, I only see physical interfaces as a choice, the sub interfaces do not show up.



Valued Contributor

I would stay away from VXLAN and 5.6, it was still quite new there.


to be honest to use VXLAN and tagged VLANs you want to use 6.2 (even though it is very new). In 6.0 when you failover you VXLAN config will break if you used tagged VLANs.


Have you seen this kb?

FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiAP 220B/221B, 11C