Troubleshooting Tip: Connections through SoftSwitch with intra-switch-policy=explicit fail with VLAN tagged packets
| Description | This article describes a scenario where it is required to control the traffic that flows through members of the SoftSwitch interface using the intra-switch-policy=explicit feature (the value is 'implicit' by default).
VXLAN interfaces are members of the SoftSwitch in this scenario.
e.g. The connections through the SoftSwitch between 'TVTEL_MACHASA_D1' to 'NicolasChahuan_D1' fail (as well as connection to any other VXLAN). |
| Scope | FortiOS (any firmware version). |
| Solution | Topology:
Host(b8:ca:3a:6d:1f:3d)=b8:ca:3a:6d:1f:3d |----- [x2] FGT1 [TO_MACHASA_LAN] <=== ===> [sw_to_Machasa] FGT2 [port13] -----| Host(00:1e:08:53:02:40)=172.168.1.62
Note: If intra-switch-policy=implicit (by default), the connection succeeds.
For example:
FGT1:
config system vxlan edit "Monumental_Main" set interface "Lo_Mon_Main" set vni 301 set remote-ip "10.156.xxx.xxx" next edit "Nacional_Main" set interface "Lo_Naciona_Main" set vni 201 set remote-ip "10.156.xxx.xxx" next edit "Claro_Are_Main" set interface "Lo_Cla_Are_Main" set vni 101 set remote-ip "10.156.xxx.xxx" next edit "Main_Sausalito" set interface "Lo_Sausa_Main" set vni 401 set remote-ip "10.156.xxx.xxx" next edit "Cisterna_Main" set interface "WAN_Claro" set vni 601 set remote-ip "172.19.xxx.xxx" next end config system switch-interface edit "TO_MACHASA_LAN" set vdom "root" set member "CAP_Acero_Main" "Cisterna_Main" "Claro_Are_Main" "Coquimbo_Main" "E_Figueroa_Main" "La_Florida_Main" "La_Portada_Main" "Main_Sausalito" "Monumental_Main" "N_Chahuan_Main" "Nacional_Main" "Santa_Cruz_Main" "TCampeones_Main" "Teniente_Main" "x2" set type switch set intra-switch-policy implicit set mac-ttl 300 set span disable next end
FGT1 # diagnose sniffer packet any ' host 172.168.1.62 and icmp ' 4 0 a interfaces=[any] filters=[ host 172.168.1.62 and icmp ] 2026-02-04 18:23:59.930312 npudbg in 172.168.1.111 -> 172.168.1.62: icmp: echo request 2026-02-04 18:23:59.935018 npudbg in 172.168.1.62 -> 172.168.1.111: icmp: echo reply 2026-02-04 18:24:00.931420 npudbg in 172.168.1.111 -> 172.168.1.62: icmp: echo request 2026-02-04 18:24:00.936117 npudbg in 172.168.1.62 -> 172.168.1.111: icmp: echo reply 2026-02-04 18:24:01.933480 npudbg in 172.168.1.111 -> 172.168.1.62: icmp: echo request 2026-02-04 18:24:01.938172 npudbg in 172.168.1.62 -> 172.168.1.111: icmp: echo reply ^C 6 packets received by filter 0 packets dropped by kernel
FGT2:
config system switch-interface edit "sw_to_Machasa" set vdom "root" set member "Machasa_Main" "port13" set type switch set intra-switch-policy implicit set mac-ttl 300 set span disable next end
Upon switching the value to intra-switch-policy=explicit, the ICMP connection immediately fails, even if it was configured through the firewall-policies.
FGT1:
config system switch-interface edit "TO_MACHASA_LAN" set vdom "root" set member "N_Chahuan_Main" "x2" set intra-switch-policy explicit next end config firewall policy edit 13 set name "x2_to_NChahuan" set srcintf "x2" set dstintf "N_Chahuan_Main" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next edit 14 set name "NChahuan_to_x2" set srcintf "N_Chahuan_Main" set dstintf "x2" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next end
The MAC addresses of the source and destination hosts have been detected.
FGT1 # diagnose netlink brctl name host TO_MACHASA_LAN | grep "b8:ca:3a:6d:1f:3d" 15 32 x2 b8:ca:3a:6d:1f:3d 0 Hit(0)
FGT1 # diagnose netlink brctl name host TO_MACHASA_LAN | grep "53:02:40" 1 132 N_Chahuan_Main 00:1e:08:53:02:40 6 Hit(6)
On FGT2:
config system switch-interface edit "sw_to_Machasa" set vdom "root" set member "Machasa_Main" "port13" set type switch set intra-switch-policy explicit set mac-ttl 300 set span disable next end config firewall policy edit 2 set name "port13_to_Machasa_Main" set srcintf "port13" set dstintf "Machasa_Main" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next edit 3 set name "Machasa_Main_to_port13" set srcintf "Machasa_Main" set dstintf "port13" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next end
FGT2 # diagnose netlink brctl name host sw_to_Machasa | grep "02:40" 2 25 port13 00:1e:08:53:02:40 1 Hit(1)
FGT2 # diagnose netlink brctl name host sw_to_Machasa | grep "b8:ca:3a:6d:1f:3d" 1 49 Machasa_Main b8:ca:3a:6d:1f:3d 0 Hit(0)
Solution:
At the moment, FortiOS does not support policy checking on VLAN tagged packets. If vlanforward is enabled on switch members, VLAN tagged packets can pass without a policy check (the same behavior as an implicit intra-switch-policy).
As a workaround with only two member interfaces, try a virtual wire pair.
config system virtual-wire-pair edit "TO_MACHASA_LAN" set member "N_Chahuan_Main" "x2" set wildcard-vlan enable set vlan-filter 10-10 next end |