Fortinet black logo

CLI Reference

config system overlay-tunnel

config system overlay-tunnel

Use this command to configure an overlay tunnel.

FortiADC support two types of overlay protocols—VXLAN and NVGRE.

  • Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud-computing deployments. It encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels are known as VXLAN tunnel endpoints (VTEPs), and can be virtual or physical switch ports. For more information, see RFC 7348.
  • Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud-computing deployments. It uses Generic Routing Encapsulation (GRE) to tunnel Layer-2 packets over Layer-3 networks.

Before you begin, make sure that you have read-write permission to configure system settings.

Syntax

config system vxlan

edit <name> <string>

set type {vxlan|nvgre}

set interface <datasource>

set vni <integer>

set vsid <integer

set ip-version {ipv4-unicast|ipv4-multicast}

set dstport <integer>

set multicast-ttl <integer>

set destination-ip-addresses <class_ip>

config remote-host

edit <No.>

set host-mac-address <xx:xx:xx:xx:xx:xx>

set vtep <class_ip>

next

end

next

end

type

Select a virtual overlay networking protocol:

  • VXLAN (default)
  • NVGRE
interface

The outing interface for VXLAN encapsulated traffic.

dstport

The VXLAN destination port (number). The default is 4789. The valid range is 1–6553.

vni

The VXLAN network ID. The valid range is 1–16777215.

vsid

The NVGRE ID. The valid range is 1–16777215.

ip-version

The IP version to use for the VXLAN interface and for communication over VXLAN.

  • ipv4-unicast—Use IPv4 unicast addressing over VXLAN or NVGRE.
  • ipv4-multicast—Use IPv4 multicast addressing over VXLAN.
destination-ip-address

Specify the destination IP address.

Note: For IPv4 unicast, specify an IPv4 address of the VXLAN interface on the device at the remote end of the VXLAN. You can set multiple VTEP IP addresses, splitting with space char; for IPv4 multicast, specify one multicast IP address only.

multicast-ttl

The option applies to IPv4 multicast IP type only.

Specify the multicast TTL. Valid values are from 0 (default) to 255.

remote-host Add static MAC_to_VTEP to VXLAN mapping table.
host-mac-address Set the remote host MAC address. The format is xx:xx:xx:xx:xx:xx
vtep Set the remote VTEP IP address.

Example

The following commands create a VXLAN interface with two VTEP peers:

config system overlay-tunnel

edit "vxlan1"

set type vxlan

set interface port2

set ip-version ipv4-unicast

set destination-ip-addresses 10.75.0.202 10.75.0.88

set dstport 4789

set vni 1122

config remote-host

end

next

The following commands create a VXLAN interface with a multicast IP:

config system overlay-tunnel

edit "vxlan1"

set type vxlan

set interface vlan249

set ip-version ipv4-multicast

set destination-ip-addresses 239.1.1.1

set dstport 4789

set vni 1122

config remote-host

edit 1

set host-mac-address 22:22:22:22:22:22

set vtep 3.2.2.2

end

next

The following commands create an NVGRE interface with two remote gateway IPs:

config system overlay-tunnel

edit "nvgre1"

set type nvgre

set interface vlan249

set ip-version ipv4-unicast

set destination-ip-addresses 10.75.0.202 10.75.0.88

set dstport 4789

set vsid 1122

config remote-host

end

next

After creating a VXLAN/NVGRE tunnel, the system will create one interface automatically accordingly.

To diagnose your VXLAN configuration, use the following command:

diagnose sys vxlan fdb list vxlan1

(M) FortiADC-VM# diagnose system vxlan-fdb vxlan1

ff:ff:ff:ff:ff:ff dst 10.249.100.31 via vlan249 self permanent

ff:ff:ff:ff:ff:ff dst 10.249.100.38 via vlan249 self permanent

22:22:22:22:22:22 dst 3.2.2.2 via vlan249 self permanent

config system overlay-tunnel

Use this command to configure an overlay tunnel.

FortiADC support two types of overlay protocols—VXLAN and NVGRE.

  • Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud-computing deployments. It encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels are known as VXLAN tunnel endpoints (VTEPs), and can be virtual or physical switch ports. For more information, see RFC 7348.
  • Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud-computing deployments. It uses Generic Routing Encapsulation (GRE) to tunnel Layer-2 packets over Layer-3 networks.

Before you begin, make sure that you have read-write permission to configure system settings.

Syntax

config system vxlan

edit <name> <string>

set type {vxlan|nvgre}

set interface <datasource>

set vni <integer>

set vsid <integer

set ip-version {ipv4-unicast|ipv4-multicast}

set dstport <integer>

set multicast-ttl <integer>

set destination-ip-addresses <class_ip>

config remote-host

edit <No.>

set host-mac-address <xx:xx:xx:xx:xx:xx>

set vtep <class_ip>

next

end

next

end

type

Select a virtual overlay networking protocol:

  • VXLAN (default)
  • NVGRE
interface

The outing interface for VXLAN encapsulated traffic.

dstport

The VXLAN destination port (number). The default is 4789. The valid range is 1–6553.

vni

The VXLAN network ID. The valid range is 1–16777215.

vsid

The NVGRE ID. The valid range is 1–16777215.

ip-version

The IP version to use for the VXLAN interface and for communication over VXLAN.

  • ipv4-unicast—Use IPv4 unicast addressing over VXLAN or NVGRE.
  • ipv4-multicast—Use IPv4 multicast addressing over VXLAN.
destination-ip-address

Specify the destination IP address.

Note: For IPv4 unicast, specify an IPv4 address of the VXLAN interface on the device at the remote end of the VXLAN. You can set multiple VTEP IP addresses, splitting with space char; for IPv4 multicast, specify one multicast IP address only.

multicast-ttl

The option applies to IPv4 multicast IP type only.

Specify the multicast TTL. Valid values are from 0 (default) to 255.

remote-host Add static MAC_to_VTEP to VXLAN mapping table.
host-mac-address Set the remote host MAC address. The format is xx:xx:xx:xx:xx:xx
vtep Set the remote VTEP IP address.

Example

The following commands create a VXLAN interface with two VTEP peers:

config system overlay-tunnel

edit "vxlan1"

set type vxlan

set interface port2

set ip-version ipv4-unicast

set destination-ip-addresses 10.75.0.202 10.75.0.88

set dstport 4789

set vni 1122

config remote-host

end

next

The following commands create a VXLAN interface with a multicast IP:

config system overlay-tunnel

edit "vxlan1"

set type vxlan

set interface vlan249

set ip-version ipv4-multicast

set destination-ip-addresses 239.1.1.1

set dstport 4789

set vni 1122

config remote-host

edit 1

set host-mac-address 22:22:22:22:22:22

set vtep 3.2.2.2

end

next

The following commands create an NVGRE interface with two remote gateway IPs:

config system overlay-tunnel

edit "nvgre1"

set type nvgre

set interface vlan249

set ip-version ipv4-unicast

set destination-ip-addresses 10.75.0.202 10.75.0.88

set dstport 4789

set vsid 1122

config remote-host

end

next

After creating a VXLAN/NVGRE tunnel, the system will create one interface automatically accordingly.

To diagnose your VXLAN configuration, use the following command:

diagnose sys vxlan fdb list vxlan1

(M) FortiADC-VM# diagnose system vxlan-fdb vxlan1

ff:ff:ff:ff:ff:ff dst 10.249.100.31 via vlan249 self permanent

ff:ff:ff:ff:ff:ff dst 10.249.100.38 via vlan249 self permanent

22:22:22:22:22:22 dst 3.2.2.2 via vlan249 self permanent