How can we build policies to (or otherwise) block or allow specific ethertype traffic to traverse a switch-interface "soft switch" which has intra-switch-policy = explicit?
We have bridged two 60E FGT units running 5.6 such that internal1 on FGT1 and internal1 on FGT2 appear to be on the same physical segment. We have used an ipsec tunnel with vxlan encapsulation, based on this kb article. The ipsec tunnels terminate on loopback interfaces to simplify dynamic routing. The ipsec tunnel and the local port are members of a switch-interface. All this is fine.
With the switch-interface set to intra-switch-policy = implicit (ie allow all traffic), everything operates as expected.
We wish to set intra-switch-policy = explicit and then restrict traffic over the vxlan. The primary traffic of interest is multicast and has its own ethertype. Is it possible to allow traffic based on its ethertype and how can this be done?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.