Fortinet black logo

Handbook

VLANs over VXLANs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:402610
Download PDF

VLANs over VXLANs

VLANs can be assigned to VXLAN interfaces. In a data center network where VXLAN is used to create an L2 overlay network and for multitenant environments, a customer VLAN tag can be assigned to VXLAN interface. This allows the VLAN tag from VLAN traffic to be encapsulated within the VXLAN packet.

To configure VLAN inside VXLAN on HQ1:
  1. Configure VXLAN:
    config system vxlan
       edit "vxlan1"
          set interface port1
          set vni 1000
          set remote-ip 173.1.1.1
       next
    end
  2. Configure system interface:
    config system interface
       edit vlan100
         set vdom root
         set vlanid 100
         set interface dmz
       next
       edit vxlan100
         set type vlan
         set vlanid 100
         set vdom root
         set interface vxlan1
       next
    end
  3. configure software-switch:
    config system switch-interface
       edit swl
         set vdom root
         set member vlan100 vxlan100
         set intra-switch-policy implicit
       next
    end
Note

The default intra-switch-policy implicit behavior allows traffic between member interfaces within the switch. Therefore, it is not necessary to create firewall policies to allow this traffic.

To configure VLAN inside VXLAN on HQ2:
  1. Configure VXLAN:
    config system vxlan
       edit "vxlan2"
          set interface port25
          set vni 1000
          set remote-ip 173.1.1.2
       next
    end
  2. Configure system interface:
    config system interface
       edit vlan100
         set vdom root
         set vlanid 100
         set interface port20
       next
       edit vxlan100
         set type vlan
         set vlanid 100
         set vdom root
         set interface vxlan2
       next
    end
  3. configure software-switch:
    config system switch-interface
       edit swl
         set vdom root
         set member vlan100 vxlan100
       next
    end
To verify the configuration:

Ping PC1from PC2.

The following is captured on HQ2:

This captures the VXLAn traffic between 172.1.1.1 and 172.1.12 with the VLAN 100 tag inside.

VLANs over VXLANs

VLANs can be assigned to VXLAN interfaces. In a data center network where VXLAN is used to create an L2 overlay network and for multitenant environments, a customer VLAN tag can be assigned to VXLAN interface. This allows the VLAN tag from VLAN traffic to be encapsulated within the VXLAN packet.

To configure VLAN inside VXLAN on HQ1:
  1. Configure VXLAN:
    config system vxlan
       edit "vxlan1"
          set interface port1
          set vni 1000
          set remote-ip 173.1.1.1
       next
    end
  2. Configure system interface:
    config system interface
       edit vlan100
         set vdom root
         set vlanid 100
         set interface dmz
       next
       edit vxlan100
         set type vlan
         set vlanid 100
         set vdom root
         set interface vxlan1
       next
    end
  3. configure software-switch:
    config system switch-interface
       edit swl
         set vdom root
         set member vlan100 vxlan100
         set intra-switch-policy implicit
       next
    end
Note

The default intra-switch-policy implicit behavior allows traffic between member interfaces within the switch. Therefore, it is not necessary to create firewall policies to allow this traffic.

To configure VLAN inside VXLAN on HQ2:
  1. Configure VXLAN:
    config system vxlan
       edit "vxlan2"
          set interface port25
          set vni 1000
          set remote-ip 173.1.1.2
       next
    end
  2. Configure system interface:
    config system interface
       edit vlan100
         set vdom root
         set vlanid 100
         set interface port20
       next
       edit vxlan100
         set type vlan
         set vlanid 100
         set vdom root
         set interface vxlan2
       next
    end
  3. configure software-switch:
    config system switch-interface
       edit swl
         set vdom root
         set member vlan100 vxlan100
       next
    end
To verify the configuration:

Ping PC1from PC2.

The following is captured on HQ2:

This captures the VXLAn traffic between 172.1.1.1 and 172.1.12 with the VLAN 100 tag inside.