FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epiquette
Staff
Staff
Article Id 369200
Description This article explains how to allow the traffic for Extreme Networks fabric to allow their adjacency to successfully establish over a Virtual Wire Pair.
Scope FortiGate.
Solution
By default, a Virtual Wire Pair does not allow layer 2 traffic which is used between 2 Extreme Networks switches when they are building adjacency using ISIS.
 
Example capture before enabling l2forward on the interfaces configured in the Virtual Wire Pair:
 
ExampleCaptureBeforeEnablingL2forward.png
 
Example topology:
 
ExtremeSwitchesAdjacencyExample.png

 

Note that if the ISIS traffic is over a VLAN it is required to enable the option Wildcard VLAN when creating the Virtual Wire Pair to allow the VLAN through or manually create each VLAN on the interfaces and create a policy for each VLAN.
 
config system virtual-wire-pair
    edit "ExtremeTraffic"
        set member "port10" "port11"
        set wildcard-vlan enable
    next
end

 

The following settings are used to enable layer 2 forwarding for the 2 interfaces used in the Virtual Wire Pair. In this example, port10 and port11 were used. It is also recommended to allow jumbo frames by increasing the MTU on the interfaces used as the 802.1AH used by the Extreme Switches will exceed the default 1500 MTU.

config system interface
    edit port10
        set l2forward enable
        set mtu-override enable
        set mtu 9216
    next
    edit port11
        set l2forward enable
        set mtu-override enable
     set mtu 9216
    next
end
 
Once those settings are configured the adjacency will come up between the Extreme Switches and a firewall policy can be configured to allow the traffic between the interfaces.
 
config firewall policy
    edit 1
        set name "VWP-Policy"
        set srcintf "port10" "port11"
        set dstintf "port10" "port11"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
 
Note: 802.1AH UTM Inspection support was added in v7.4.5+, v7.6.1+.