Thanks, but not sure if this is what I am looking for, as I see this requires NAT, and I need full layer 2, so broadcasts etc. cross to the other side without NAT.

I found that the FTD’s can do VxLAN on their own https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center/221043-configure-vxlan-interfaces-on-secure-ftd.html (read but not implemented yet).

But I could use a little more detail on the exact connectivity to the inside switches.  The actual connectivity to the FTD (does it need its own interface, or can it be a sub-interface on my internal LAN interface.

-cliff

Also, the document states “The configure section assumes that the underlay network is already configured on threat defense via the Secure Firewall Management Center. This document is focused on overlay network configuration.” My underlay network is working, but is it setup correctly for VxLAN?

Just a brief: SW1-{port1} --> FTD-{interfaceA} <—>FTD-{interfaceB} --> SW2-{port2}

Is SW-{port1} an access port or trunk? Is FTD-{interfaceA} a dedicated interface or can it be a Sub-Interface? Same with {port2} and {interfaceB}?

Thanks-

When logging on the CLI of each FW, I should be able to ping each side of the VTEP interface (172.24..101.1 <--> 172.24.107.1) But it is failing.

I am not sure what the issue is. I have attached a an updated image and PDF (not sure which is best), edited FW configs are in the image.

Thanks-