Description
This article discusses about software switch intra switch policy options.
Solution
A software switch, or soft switch, is a virtual switch that is implemented at the software, or firmware level, rather than the hardware level.
A software switch can be used to simplify communication between unitsconnected to different FortiGate interfaces.
The software switch allows to group physical and virtual interfaces.
For example, using a software switch, the FortiGate interface connected to an internal network can be placed on the same subnet as wireless interfaces.
Then, units on the internal network can communicate with units on the wireless network without any additional configuration such as additional security policies, on the FortiGate.
Similar to a hardware switch, a software switch functions like a single interface.
Traffic between units connected to each interface are not regulated by security policies, and traffic passing in and out of the switch is affected by the same policy.
Note that to add an interface to a software switch, the interface cannot be referenced in the existing configuration. So change the role from LAN to Undefined, remove the object address associated with the interface, and then it can be added to the software switch (thanks to @mmfn42 for specification)
It has also to have its IP address set to 0.0.0.0/0.0.0.0.
# config system switch-interface
edit "vxlan-switch"
set vdom "root"
set member "lan1" "vxlan"
set intra-switch-policy implicit <- Default is ‘implicit’.
next
end
Referring to the 'intra-switch-policy' command, there are two possibilities.
Set intra-switch-policy implicit.
- This command implicitly allows traffic between switch members (default behavior).
- In this case, the software switch works as a traditional switch, just maintain a mac-addr-table. In other words, it can only control traffic between the south and north.
- Traffic among switch members does not need to create a firewall policy, traffic among members is always allowed.
- No session table is maintained.
- PC is able to point its gateway to the IP address of switch-interface.
Set intra-switch-policy explicit.
- This command forces the traffic between switch members to match firewall policies. Firewall policies have to be configured between the software switch members (session information is maintained in the session table).
- In this case, the software switch works as VDOM in TP mode. In other words, it can only control traffic between the west and east.
- Traffic among switch members needs to create a firewall policy to control allow/deny.
- Traffic cannot flow out of the VDOM in TP mode.
- It appears that the switch-interface does not have L3 characteristics. For example, even though set IP address for switch-interface, the switch member cannot access the IP address of switch-interface.
- For Vxlan traffic, if the device has NP7, that is capable to offload Vxlan traffic, an explicit intra-switch-policy is required because you need to have valid session information in the session table.
Related documents:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Interfaces/Software%20swi...
https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/7620/system-switch-interface
