Wednesday, December 26, 2018

Fortigate VXLAN with MPLS

it was required to test VXLAN using MPLS in between, so I have done following



for MPLS I have just used simple BPG config with static redistribution and VXLAN config on Fortigate VM is

Fortinet(Right Side)
config system interface
edit "port1"
set vdom "root"
set ip 10.9.9.1 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set alias "WAN"
set role wan
set snmp-index 1
next
edit "port2"
set vdom "root"
set type physical
set snmp-index 2
next
edit "VXLAN"
set vdom "root"
set l2forward enable
set type tunnel
set snmp-index 6
set interface "port1"
next
edit "VXLAN-SW"
set vdom "root"
set type switch
set snmp-index 7
next
end

config router static
edit 1
set gateway 10.9.9.254
set device "port1"
next
end

config vpn ipsec phase1-interface
edit "VXLAN"
set interface "port1"
set peertype any
set proposal des-sha1
set encapsulation vxlan
set encapsulation-address ipv4
set encap-local-gw4 10.9.9.1
set encap-remote-gw4 10.8.8.1
set remote-gw 10.8.8.1
set psksecret ENC
2dkyyFtjtIQBdTJ73VMqH6zAMkfcmiwWjvPL1dTK3EESBCYgHKa6g5mEmdhh8ii3Z7AaRxnjs4NSiC7IwJCtUCfEBybyffoTu/PQnIKxRBTVoselQI3U4HN/A
w8axaAvmQzz04vmuqU9ekbmVH7srAoNpaN2AoqDj7rOyvk+LktxfBKD1yZpNzJrY918Hccl7b86Zg==
next
end
config vpn ipsec phase2-interface
edit "VXLAN-PH2"
set phase1name "VXLAN"
set proposal des-sha1
next
end
config system switch-interface
edit "VXLAN-SW"
set vdom "root"
set member "port2" "port3" "VXLAN"
set intra-switch-policy explicit
next
end
config firewall policy
edit 1
set uuid f67278de-0991-51e9-ff02-6f463ab0772d
set srcintf "port2"
set dstintf "VXLAN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 65857082-0992-51e9-e783-dec60d292f79
set srcintf "VXLAN"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

another Fortigate config on the left side is just changing ip address of peer.
Two very important things to point when config fortigate,

1. when config system switch-interface make sure to "set vdom root"
2. when config system switch-interface make sure complete configuration at once, since it won't accept adding additional config

then test simply ping each VPCs and you can see icmp is working.
Also, I can see ARP information of other side's VPC NIC.




Reference: https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/
Posted by at No comments:
Subscribe to: Comments (Atom)