Consider the following VLAN interfaces configured on FortiGate-I.
config system interface edit "vlan111" set vdom "root" set ip 10.111.1.1 255.255.255.252 set allowaccess ping set interface "vlan222" set vlanid 111 set snmp-index 10 next edit "vlan222" set vdom "root" set interface "port1" set vlanid 222 set snmp-index 20 next edit "port1" set vdom "root" set role lan set type physical set snmp-index 30 next end
Likewise, the following VLAN interfaces are configured on FortiGate-II.
config system interface edit "vlan111" set vdom "root" set ip 10.111.1.2 255.255.255.252 set allowaccess ping set interface "vlan222" set vlanid 111 set snmp-index 40 next edit "vlan222" set vdom "root" set interface "port2" set vlanid 222 set snmp-index 50 next edit "port2" set vdom "root" set role lan set type physical set snmp-index 60 next end
The network topology is as follows:
Windows10 (10.203.6.120) -- [(port10) FortiGate-I {port1 -- vlan222 -- vlan111 (10.111.1.1)}] ======= [{vlan111 (10.111.1.2) -- vlan222 -- port2} FortiGate-II (port20)] -- Windows10 (10.207.15.153)
A firewall policy has been configured to allow the traffic between Windows clients.
config firewall policy edit 1 set name "Q-in-Q-Testing" set srcintf "port10" set dstintf "vlan111" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next end
With offloading enabled (default) on firewall policy ID 1, traffic stops after two ICMP requests.
FortiGate-I # diagnose sniffer packet any "host 10.207.15.153 and icmp" 4 0 l interfaces=[any] filters=[host 10.207.15.153 and icmp] 2025-01-09 09:20:37.184550 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:37.184564 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:37.184565 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:37.184567 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:37.184617 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply 2025-01-09 09:20:37.184623 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply 2025-01-09 09:20:38.181920 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:38.181932 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:38.181933 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:38.181935 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request 2025-01-09 09:20:38.181969 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply 2025-01-09 09:20:38.181978 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply ^C 12 packets received by filter 0 packets dropped by kernel
However, traffic works if offloading is disabled on firewall policy.
config firewall policy edit 1 set auto-asic-offload disable next end
The reason is that NP7 can NOT support 802.1Q over 802.1Q offloading due to hardware design. Fortigate supports 802.1Q over 802.1AD offloading only.
Related articles:
|