Overview In modern enterprise networks, extending Layer 2 connectivity across geographically separated sites is often necessary for seamless application performance, unified broadcast domains, and simplified management. FortiGate VXLAN (Virtual Extensible LAN) provides a robust solution to bridge VLANs over a Layer 3 WAN, enabling transparent communication between remote sites without complex MPLS or SD‑WAN overlays.
This article explores the VXLAN L2 Site‑to‑Site configuration that extends VLAN 10 between Site A and Site B, using FortiGate firewalls as VXLAN endpoints.
Network Topology Summary
| Component | Site A | Site B |
|---|---|---|
| LAN Network | 10.10.10.0/24 | 10.10.10.0/24 |
| VLAN ID | 10 | 10 |
| FortiGate WAN Interfaces | WAN1 (203.0.113.1), WAN2 (203.0.113.5) | WAN1 (203.0.113.2), WAN2 (203.0.113.6) |
| VXLAN Interface | VXLAN10010 (VNI 10010) | VXLAN10010 (VNI 10010) |
| Virtual Switch | vsw10 (VLAN10 + VXLAN10010) | vsw10 (VLAN10 + VXLAN10010) |
The VXLAN Tunnel (VNI 10010) traverses the Layer 3 WAN, encapsulating Ethernet frames from VLAN 10 into UDP packets, which are then decapsulated at the remote site — effectively extending the Layer 2 domain.
Traffic Flow Mechanism
- Host in Site A sends traffic on VLAN 10 (10.10.10.0/24).
- FortiGate A encapsulates the frame into VXLAN (VNI 10010).
- The VXLAN packet travels securely over the Layer 3 WAN.
- FortiGate B decapsulates the VXLAN frame.
- The traffic is delivered to VLAN 10 at Site B, maintaining MAC‑level transparency.
This process allows both sites to behave as if they share the same broadcast domain, supporting protocols like ARP, DHCP, and multicast across the WAN.
Essential Configuration Steps
1. Create VXLAN Interface
- VNI: 10010
- Source Interface: WAN1 (or WAN2)
- Destination IP: Remote WAN IP
- Encapsulation Mode: UDP with default port 4789
2. Create VLAN Interface
- VLAN ID: 10
- Physical Port: LAN member interface
- IP Address: 10.10.10.1/24 (Site A) and 10.10.10.2/24 (Site B)
3. Create Virtual Switch (vsw10)
- Add both VXLAN10010 and VLAN10 as members.
- This bridges the VXLAN overlay with the local VLAN, enabling Layer 2 extension.
4. Routing and Firewall Policies
- Ensure WAN interfaces allow UDP 4789 traffic.
- Optionally apply IPsec or SSL encryption for VXLAN packets to secure the overlay.
Technical Insights
- VXLAN Encapsulation uses MAC‑in‑UDP tunneling, allowing Layer 2 frames to traverse Layer 3 networks.
- VNI (VXLAN Network Identifier) acts as a logical segment identifier, similar to a VLAN tag but with a 24‑bit space supporting 16 million segments.
- FortiGate Virtual Switch bridges VXLAN and VLAN interfaces, maintaining MAC learning and forwarding tables across sites.
- Layer 2 Extension Use Cases include disaster recovery, VM migration, and shared infrastructure for multi‑site clusters.
Security Considerations
- Authenticate VXLAN Peers: Use IPsec or certificate‑based tunnels to prevent spoofing.
- Restrict Broadcast Domains: Avoid extending unnecessary VLANs to reduce loop risk.
- Monitor Encapsulation Performance: VXLAN adds ~50 bytes per packet; ensure MTU adjustments to prevent fragmentation.
- Enable Loop Prevention via FortiGate STP or MAC filtering rules.
Expert in the Cloud Insight
VXLAN bridging on FortiGate firewalls offers a powerful alternative to traditional Layer 2 VPNs, combining scalability, security, and simplicity. By encapsulating VLAN traffic over Layer 3 WAN links, organizations can maintain consistent network policies and broadcast domains across remote sites without compromising performance or visibility.
For network engineers and architects, this approach represents a future‑ready method to extend enterprise LANs securely and efficiently — a cornerstone of modern hybrid infrastructure design.
Leave a Reply