Topic Thread

VXLAN with Multiple Subnets

  • 1.  VXLAN with Multiple Subnets

    Posted 04-15-2019 05:29
    Hi,

    i have a setup for a Customer comprising of two Sites

    Site A : HQ
    Site B : DR

    we are planning to use VXLAN over IPSec VPN to Extend few subnets to DR. 

    Subnets 192.168.1.x/24 and 192.168.12.x/24 has to be extended using VXLAN. i have tested VXLAN without using IPSec VPN in my Lab, and i was able to Extend VLANs 192.168.1.x and 192.168.12.x

    but not im not able to use IPsec Interface in this configuration, since that we can't use the VXLAN Interface on both soft switches.

    in addition VLAN 192.168.100.x/24 must communicate with HQ VLANs also.

    this is my configuration for of VXLAN on both Firewalls
    HQ
    config system interface
    edit "port3"
    set vdom "root"
    set ip 172.16.16.97 255.255.255.248
    set allowaccess ping
    set type physical
    set alias "WAN-DR"
    set role wan
    set snmp-index 3

    edit "VXLAN90-SW"
    set vdom "root"
    set ip 192.168.1.2 255.255.255.0
    set allowaccess ping https ssh http
    set broadcast-forward enable
    set l2forward enable
    set type switch
    set snmp-index 14
    next

    edit "VXLAN12-SW"
    set vdom "root"
    set ip 192.168.12.100 255.255.255.0
    set allowaccess ping https ssh
    set broadcast-forward enable
    set l2forward enable
    set type switch
    set device-identification enable
    set role lan
    set snmp-index 15
    next

    config system vxlan
    edit "VXLAN90"
    set interface "port3"
    set vni 90
    set remote-ip "172.16.16.98"
    next
    edit "VXLAN12"
    set interface "port3"
    set vni 12
    set remote-ip "172.16.16.98"
    next
    end

    and on DR
    config system interface
    edit "port2"
    set vdom "root"
    set ip 172.16.16.98 255.255.255.248
    set allowaccess ping https
    set type physical
    set alias "WAN-HQ"
    set role wan
    set snmp-index 2
    next
    edit "port3"
    set vdom "root"
    set type physical
    set alias "VL90"
    set role lan
    set snmp-index 3

    edit "VXLAN12-SW"
    set vdom "root"
    set ip 192.168.12.101 255.255.255.0
    set allowaccess ping https ssh http
    set broadcast-forward enable
    set l2forward enable
    set type switch
    set snmp-index 15
    next

    edit "VXLAN90-SW"
    set vdom "root"
    set ip 192.168.1.102 255.255.255.0
    set allowaccess ping https ssh http
    set broadcast-forward enable
    set l2forward enable
    set type switch
    set snmp-index 14

    config system vxlan
    edit "VXLAN90"
    set interface "port2"
    set vni 90
    set remote-ip "172.16.16.97"
    next
    edit "VXLAN12"
    set interface "port2"
    set vni 12
    set remote-ip "172.16.16.97"

    my question is such setup supported on FortiGate? 

    UhXjTQQ4T96p7imzmbcf_vxlan.png