![]() ![]() Create a software switch with the VXLAN interface and its physical LAN port. This allows traffic to flow between the physical port and the VXLAN tunnel. Configure the VXLAN Interface and Bind it to the loopback interface - FortiGate 2Įnd Create a software switch with the VXLAN interface and its physical LAN port. The remote IP is set to the IP of the looback interface of Fortigate 2. Next Configure the VXLAN Interface and Bind it to the loopback interface - FortiGate 1 Next Configure Loopback Interface for use with the VXLAN Tunnel - FortiGate 2 Configure Loopback Interface for use with the VXLAN Tunnel - FortiGate 1 This helps to ensure that everything is setup properly before proceeding with the VXLAN configurations. Once the SD-WAN is configured, testing should be done to ensure LAN traffic is being routed as expected. I use the health checks to ensure a seamless failover in the event of a link failure. The configurations for this would be identical on FortiGate 1 and 2. The next step adds the VPN tunnels to the SD-WAN setup. The steps above configured the WAN and LAN IP addressing and configured two site to site IPsec VPNs. Set comments "VPN: VPN2 (Created by VPN wizard)" Set comments "VPN: VPN1 (Created by VPN wizard)" Configure the two VPN tunnels using the FortiGate Wizard - FortiGate 2 Once the VPN tunnels are created, I assign IP addresses to them for use in the SD-WAN health checks. Set comments "VPN: vpn2 (Created by VPN wizard)" Set comments "VPN: vpn1 (Created by VPN wizard)" Next Configure the two VPN tunnels using the FortiGate Wizard - FortiGate 1 Set allowaccess ping https ssh http fgfm fabric ![]() This IP is used to route non-VXLAN traffic over the SD-WAN Configure LAN IP - FortiGate 2 Set allowaccess ping https ssh http fgfm capwap Set allowaccess ping https ssh http fabri The same approach can be taken using public IP addresses. This example uses two MPLS links with private IP addressing. The steps to configure this setup are outlined below: Configure WAN Links - FortiGate 1 Firewall Policies (Traffic flow between sites).SD-WAN rules (Is there a preferred link or traffic types to be handled differently?).Loopback IP addresses (as VXLAN Interface).WAN IP addresses (Public IP addresses or Private IP addresses).To configure the VXLAN over SD-WAN setup we need to plan the following: The setup can be seen in the image above. This setup focusses on routing the VXLAN traffic over an SD-WAN with multiple site to site IPsec VPNs tunnels. The FortiGate VXLAN configuration shown in this article is the setup that I have gotten to work in multiple environments. Fortinet offers various options for getting this to work, but based on my experience, they don’t always work as documented. This post focusses on the implementation of VXLAN on two FortiGate firewalls. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |