Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

intra-switch-policy explicit or implicit?

Hello everyone. I have a Fortigate in which, with 2 physical interfaces, I have created a software switch.

In that switch  I have created some Vlans with IP. Traffic between those Vlans doesn't work without policies, which is what I'm looking for. Its ok.

 

However I have read about intra-switch-policy explicit and have verified that the policies that work are between the interfaces that make up the software switch. On the other hand, the IP, I give it to the switch software instead of the vlans. I have not been able to ping any Vlan within the software switch with the intra-switch-policy explicit command. It doesn't work even allowing , into permit all policys, the Vlans that I create and the physical interfaces of the switch software. I can Only ping traffic between the interfaces of the software switch, wich have the same IP.

 

So what I want is the first option, which works just the way I want it to. But I wonder if this way of configuring the switch software could give me security problems. And if I can't reach the IP of the Vlans of the switch software because I'm doing something wrong (despite having tried everything).

 

Is it possible to connect to the ip of the vlans of the switch software in an explicit mod or with this mode you can only make rules between the ports that make it up?
Thank you ¡¡¡

1 Solution
gfleming

If you just want to control inter-VLAN routing then you are fine as-is.

 

If you want to control intra-VLAN (that is traffic within the same VLAN) you need to make some changes.

 

Let's just review fundamental networking concepts before we move on. You are suprised that VLAN 50 is passing through but you should not be. If the two switches were connected together directly (without FGT in the middle) and you were not doing any VLAN pruning on the trunk interface then the behaviour would be exactly the same: VLAN50 tagged packets would travel across the trunk no problem. There would be no filtering. The connections to the FortiGate is just a VLAN trunk—no pruning and no filtering on L2.

 

Once you create the VLAN interfaces on the FortiGate you are now able to control traffic at L3; that is, inter-VLAN traffic.

 

Is this what you want?

 

Also, one thing to note is that a software switch will push all network processing to the CPU and not use the NP ASIC. Depending on your FGT model this could case serious performance issues. Do you have the ability to create a hardware switch on your FGT model? Or do you have the abiltiy to change your topology? Can the second switch be daisy-chained off the first switch?

Cheers,
Graham

View solution in original post

13 REPLIES 13
gfleming

If you just want to control inter-VLAN routing then you are fine as-is.

 

If you want to control intra-VLAN (that is traffic within the same VLAN) you need to make some changes.

 

Let's just review fundamental networking concepts before we move on. You are suprised that VLAN 50 is passing through but you should not be. If the two switches were connected together directly (without FGT in the middle) and you were not doing any VLAN pruning on the trunk interface then the behaviour would be exactly the same: VLAN50 tagged packets would travel across the trunk no problem. There would be no filtering. The connections to the FortiGate is just a VLAN trunk—no pruning and no filtering on L2.

 

Once you create the VLAN interfaces on the FortiGate you are now able to control traffic at L3; that is, inter-VLAN traffic.

 

Is this what you want?

 

Also, one thing to note is that a software switch will push all network processing to the CPU and not use the NP ASIC. Depending on your FGT model this could case serious performance issues. Do you have the ability to create a hardware switch on your FGT model? Or do you have the abiltiy to change your topology? Can the second switch be daisy-chained off the first switch?

Cheers,
Graham
fortimaster

Thanks for your answers ¡

 

Yes, I want to control inter-Vlan routing and now I am sure that's the best option.

 

"You are suprised that VLAN 50 is passing through but you should not be"

I understand how vlan 50 traffic passes between 2 switches without fortinet. But I'm surprised cause the L2 traffic from port1 of the software switch, goes through port 2 as if it were a mirror port. 

 

"Once you create the VLAN interfaces on the FortiGate you are now able to control traffic at L3; that is, inter-VLAN traffic. Is this what you want?"

Yes , just that I need.

 

About the firewall resources it works fine with the software switch. I'm using Fortigate 600E with CPU at 2% and memory at 35% afther creating the software switch and passing some traficc throught it.

 

Thank you very much for your help

gfleming


I understand how vlan 50 traffic passes between 2 switches without fortinet. But I'm surprised cause the L2 traffic from port1 of the software switch, goes through port 2 as if it were a mirror port. 

 


The software switch is a switch. It's a two-port switch in your case. Each of those two ports are trunk ports. There is no VLAN pruning. VLAN 50 traffic is not going through as if it were a mirror port, it's going through as if it were a L2 switch, which it is! :)

 

Just making sure you understand the fundamental networking concepts that are going on here so you don't get messed up in the future. If VLAN50-tagged traffic hits one trunk port on your software switch it will be broadcast out the other port if the VLAN50-based host is connected on the other port because that's how L2 switches operate.

Cheers,
Graham
fortimaster

I misinterpreted a wireshark capture and had another concept of the switch software. Thank you very much for your help and it is clear that what I need is an implicit software switch. Thanks ¡¡¡¡¡

Labels
Top Kudoed Authors