Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 8.0.2 CLI Reference
    8.0.2
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system overlay-tunnel

    config system overlay-tunnel

    Use this command to configure an overlay tunnel.

    FortiADC support two types of overlay protocols—VXLAN and NVGRE.

    • Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud-computing deployments. It encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels are known as VXLAN tunnel endpoints (VTEPs), and can be virtual or physical switch ports. For more information, see RFC 7348.
    • Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud-computing deployments. It uses Generic Routing Encapsulation (GRE) to tunnel Layer-2 packets over Layer-3 networks.

    Before you begin, make sure that you have read-write permission to configure system settings.

    Syntax

    config system vxlan

    edit <name> <string>

    set type {vxlan|nvgre}

    set vxlan-type {linux_vxlan|flannel_vxlan|calico_vxlan}

    set interface <datasource>

    set vni <integer>

    set vsid <integer>

    set vxlan-interface-mac <xx:xx:xx:xx:xx:xx>

    set ip-version {ipv4-unicast|ipv4-multicast}

    set dstport <integer>

    set multicast-ttl <integer>

    set destination-ip-addresses <class_ip>

    config remote-host

    edit <No.>

    set host-mac-address <xx:xx:xx:xx:xx:xx>

    set vtep <class_ip>

    next

    end

    config arp

    edit <No.>

    set mac-address <xx:xx:xx:xx:xx:xx>

    set ip <class_ip>

    next

    end

    next

    end

    type

    Select a virtual overlay networking protocol:

    • vxlan (default)
    • nvgre

    vxlan-type

    The vxlan-type option is available if the type is vxlan.

    Select the VXLAN gateway type based on your backend environment:

    • inux_vxlan: (Default) Standard Linux kernel-based VXLAN implementation for general purpose overlay networking.

    • flannel_vxlan: Optimized for Kubernetes clusters using the Flannel CNI. It typically uses a specific VNI (usually 1) and handles routing through the flannel.1 interface.

    • calico_vxlan: New in 8.0.2. Specifically designed for Kubernetes clusters using the Calico CNI. This type allows FortiADC to participate in Calico-managed VXLAN networks by aligning with Calico-assigned MAC addresses and IP-to-MAC mappings.
    interface

    The outing interface for VXLAN encapsulated traffic.
    dstport

    The VXLAN destination port (number). The default is 4789. The valid range is 1–6553.

    vni

    The VXLAN network ID. The valid range is 1–16777215.
    vsid

    The NVGRE ID. The valid range is 1–16777215.

    vxlan-interface-mac

    The vxlan-interface-mac option is available if the vxlan-type is calico_vxlan.

    Specifies the MAC address of the VXLAN interface. This value must match the MAC address assigned by Calico for proper data plane connectivity.
    ip-version

    The IP version to use for the VXLAN interface and for communication over VXLAN.

    • ipv4-unicast—Use IPv4 unicast addressing over VXLAN or NVGRE.
    • ipv4-multicast—Use IPv4 multicast addressing over VXLAN.
    destination-ip-address

    Specify the destination IP address.

    Note: For IPv4 unicast, specify an IPv4 address of the VXLAN interface on the device at the remote end of the VXLAN. You can set multiple VTEP IP addresses, splitting with space char; for IPv4 multicast, specify one multicast IP address only.
    multicast-ttl

    The option applies to IPv4 multicast IP type only.

    Specify the multicast TTL. Valid values are from 0 (default) to 255.
    config remote host Add static MAC_to_VTEP to VXLAN mapping table.
    host-mac-address Set the remote host MAC address. The format is xx:xx:xx:xx:xx:xx
    vtep Set the remote VTEP IP address.

    config arp

    For Flannel VXLAN and Calico VXLAN, the ARP List section is used to manually define Address Resolution Protocol (ARP) entries, ensuring FortiADC can resolve the IP addresses of Kubernetes pods to their corresponding MAC addresses within the overlay. Note: These entries may be updated automatically if the FortiADC Kubernetes Controller is deployed in the cluster.

    mac-address

    		Specify the MAC address associated with the destination IP. This ensures the VXLAN encapsulated traffic is directed to the correct virtual interface on the remote host.

    ip

    		Specify the IP address of the remote Kubernetes pod or service endpoint within the VXLAN network.

    Example

    The following commands create a VXLAN interface with two VTEP peers:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface port2

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vni 1122

    config remote-host

    end

    next

    The following commands create a VXLAN interface with a multicast IP:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface vlan249

    set ip-version ipv4-multicast

    set destination-ip-addresses 239.1.1.1

    set dstport 4789

    set vni 1122

    config remote-host

    edit 1

    set host-mac-address 22:22:22:22:22:22

    set vtep 3.2.2.2

    end

    next

    The following commands create an NVGRE interface with two remote gateway IPs:

    config system overlay-tunnel

    edit "nvgre1"

    set type nvgre

    set interface vlan249

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vsid 1122

    config remote-host

    end

    next

    After creating a VXLAN/NVGRE tunnel, the system will create one interface automatically accordingly.

    To diagnose your VXLAN configuration, use the following command:

    diagnose sys vxlan fdb list vxlan1

    (M) FortiADC-VM# diagnose system vxlan-fdb vxlan1

    ff:ff:ff:ff:ff:ff dst 10.249.100.31 via vlan249 self permanent

    ff:ff:ff:ff:ff:ff dst 10.249.100.38 via vlan249 self permanent

    22:22:22:22:22:22 dst 3.2.2.2 via vlan249 self permanent

    Previous
    Next

    config system overlay-tunnel

    config system overlay-tunnel

    Use this command to configure an overlay tunnel.

    FortiADC support two types of overlay protocols—VXLAN and NVGRE.

    • Virtual Extensible LAN (VXLAN) is a network virtualization technology used in large cloud-computing deployments. It encapsulates OSI Layer-2 Ethernet frames within Layer-3 IP packets using the standard destination port 4789. VXLAN endpoints that terminate VXLAN tunnels are known as VXLAN tunnel endpoints (VTEPs), and can be virtual or physical switch ports. For more information, see RFC 7348.
    • Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud-computing deployments. It uses Generic Routing Encapsulation (GRE) to tunnel Layer-2 packets over Layer-3 networks.

    Before you begin, make sure that you have read-write permission to configure system settings.

    Syntax

    config system vxlan

    edit <name> <string>

    set type {vxlan|nvgre}

    set vxlan-type {linux_vxlan|flannel_vxlan|calico_vxlan}

    set interface <datasource>

    set vni <integer>

    set vsid <integer>

    set vxlan-interface-mac <xx:xx:xx:xx:xx:xx>

    set ip-version {ipv4-unicast|ipv4-multicast}

    set dstport <integer>

    set multicast-ttl <integer>

    set destination-ip-addresses <class_ip>

    config remote-host

    edit <No.>

    set host-mac-address <xx:xx:xx:xx:xx:xx>

    set vtep <class_ip>

    next

    end

    config arp

    edit <No.>

    set mac-address <xx:xx:xx:xx:xx:xx>

    set ip <class_ip>

    next

    end

    next

    end

    type

    Select a virtual overlay networking protocol:

    • vxlan (default)
    • nvgre

    vxlan-type

    The vxlan-type option is available if the type is vxlan.

    Select the VXLAN gateway type based on your backend environment:

    • inux_vxlan: (Default) Standard Linux kernel-based VXLAN implementation for general purpose overlay networking.

    • flannel_vxlan: Optimized for Kubernetes clusters using the Flannel CNI. It typically uses a specific VNI (usually 1) and handles routing through the flannel.1 interface.

    • calico_vxlan: New in 8.0.2. Specifically designed for Kubernetes clusters using the Calico CNI. This type allows FortiADC to participate in Calico-managed VXLAN networks by aligning with Calico-assigned MAC addresses and IP-to-MAC mappings.
    interface

    The outing interface for VXLAN encapsulated traffic.
    dstport

    The VXLAN destination port (number). The default is 4789. The valid range is 1–6553.

    vni

    The VXLAN network ID. The valid range is 1–16777215.
    vsid

    The NVGRE ID. The valid range is 1–16777215.

    vxlan-interface-mac

    The vxlan-interface-mac option is available if the vxlan-type is calico_vxlan.

    Specifies the MAC address of the VXLAN interface. This value must match the MAC address assigned by Calico for proper data plane connectivity.
    ip-version

    The IP version to use for the VXLAN interface and for communication over VXLAN.

    • ipv4-unicast—Use IPv4 unicast addressing over VXLAN or NVGRE.
    • ipv4-multicast—Use IPv4 multicast addressing over VXLAN.
    destination-ip-address

    Specify the destination IP address.

    Note: For IPv4 unicast, specify an IPv4 address of the VXLAN interface on the device at the remote end of the VXLAN. You can set multiple VTEP IP addresses, splitting with space char; for IPv4 multicast, specify one multicast IP address only.
    multicast-ttl

    The option applies to IPv4 multicast IP type only.

    Specify the multicast TTL. Valid values are from 0 (default) to 255.
    config remote host Add static MAC_to_VTEP to VXLAN mapping table.
    host-mac-address Set the remote host MAC address. The format is xx:xx:xx:xx:xx:xx
    vtep Set the remote VTEP IP address.

    config arp

    For Flannel VXLAN and Calico VXLAN, the ARP List section is used to manually define Address Resolution Protocol (ARP) entries, ensuring FortiADC can resolve the IP addresses of Kubernetes pods to their corresponding MAC addresses within the overlay. Note: These entries may be updated automatically if the FortiADC Kubernetes Controller is deployed in the cluster.

    mac-address

    		Specify the MAC address associated with the destination IP. This ensures the VXLAN encapsulated traffic is directed to the correct virtual interface on the remote host.

    ip

    		Specify the IP address of the remote Kubernetes pod or service endpoint within the VXLAN network.

    Example

    The following commands create a VXLAN interface with two VTEP peers:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface port2

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vni 1122

    config remote-host

    end

    next

    The following commands create a VXLAN interface with a multicast IP:

    config system overlay-tunnel

    edit "vxlan1"

    set type vxlan

    set interface vlan249

    set ip-version ipv4-multicast

    set destination-ip-addresses 239.1.1.1

    set dstport 4789

    set vni 1122

    config remote-host

    edit 1

    set host-mac-address 22:22:22:22:22:22

    set vtep 3.2.2.2

    end

    next

    The following commands create an NVGRE interface with two remote gateway IPs:

    config system overlay-tunnel

    edit "nvgre1"

    set type nvgre

    set interface vlan249

    set ip-version ipv4-unicast

    set destination-ip-addresses 10.75.0.202 10.75.0.88

    set dstport 4789

    set vsid 1122

    config remote-host

    end

    next

    After creating a VXLAN/NVGRE tunnel, the system will create one interface automatically accordingly.

    To diagnose your VXLAN configuration, use the following command:

    diagnose sys vxlan fdb list vxlan1

    (M) FortiADC-VM# diagnose system vxlan-fdb vxlan1

    ff:ff:ff:ff:ff:ff dst 10.249.100.31 via vlan249 self permanent

    ff:ff:ff:ff:ff:ff dst 10.249.100.38 via vlan249 self permanent

    22:22:22:22:22:22 dst 3.2.2.2 via vlan249 self permanent

    Previous
    Next