Description
This article describes software switch intra-switch policy options.
Solution
Similar to a hardware switch, a software switch functions like a single interface.
Traffic between units connected to each interface are not regulated by security policies, and traffic passing in and out of the switch is affected by the same policy.
Note that to add an interface to a software switch, the interface cannot be referenced in the existing configuration. So change the role from LAN to Undefined, remove the object address associated with the interface, and then it can be added to the software switch (thanks to @mmfn42 for specification)
It must also have its IP address set to 0.0.0.0/0.0.0.0.
config system switch-interface
edit "vxlan-switch"
set vdom "root"
set member "lan1" "vxlan"
set intra-switch-policy implicit <- Default is ‘implicit’.
next
end
The config can only be changed from the CLI. Additionally, note that this change has to be applied during the time of initial creation of the switch interface. When created from the GUI, it automatically selects the intra-switch-policy setting to be 'implicit' as this is the default setting.
Once the switch interface has been created successfully, it will not be possible to change the 'intra-switch-policy' from implicit to explicit or vice-versa even from CLI.
An error like the following would appear:
intra-switch-policy cannot be changed once set.
object set operator error, 5 discard the setting
Command fail. Return code 5
Referring to the 'intra-switch-policy' command, there are two possibilities.
Set intra-switch-policy implicit.
- This command implicitly allows traffic between switch members (default behavior).
- In this case, the software switch works as a traditional switch, just maintain a mac-addr-table. In other words, it can only control traffic between the south and north.
- Traffic among switch members does not need to create a firewall policy, traffic among members is always allowed.
- No session table is maintained.
- PC is able to point its gateway to the IP address of switch-interface.
Set intra-switch-policy explicit.
- This command forces the traffic between switch members to match firewall policies. Firewall policies have to be configured between the software switch members (session information is maintained in the session table).
- In this case, the software switch works as VDOM in TP mode. In other words, it can only control traffic between the west and east.
- Traffic among switch members needs to create a firewall policy to control allow/deny.
- Traffic cannot flow out of the VDOM in TP mode.
- It appears that the switch-interface does not have L3 characteristics. For example, even though set IP address for switch-interface, the switch member cannot access the IP address of switch-interface.
- For VXLAN traffic, if the device has NP7, that is capable to offload Vxlan traffic, an explicit intra-switch-policy is required because it is necessary to have valid session information in the session table.
