Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
majid23
Staff
Staff

Created on ‎07-31-2023 01:34 PM

Article Id 266758

Technical Tip: How to apply traffic shaper on vxlan

Description

 

This article describes the process of configuring a traffic shaper specifically for VXLAN while accommodating multiple VLANs. The purpose of this configuration is to prioritize high-priority traffic from Head office to Branch over the IPsec tunnel interface.

 

Scope

 

VXLAN over IPsec for multiple VLANs using a configured software switch. See this article.

 

majid23_0-1690820874550.png

Solution

 

Prior to implementing the traffic shaper, the software switch configuration on Fortigate-1 is as follows:

config sys switch-interface

edit "Vxlan50"

set vdom "root"

set member "vlan50" "vxlan.50"

set type switch

set intra-switch-policy implicit

set mac-ttl 300

set span disable

next

end

 


Examine the network communication between PC-1 (10.0.0.1) and PC-2 (10.0.0.2), perform a packet capture using a sniffer and inspect the session tables on Fortigate-1.

Below are the outputs of the sniffer and session table on Fortigate-1

 

diag sniffer packet any "host 10.0.0.2 and icmp" 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.0.0.2 and icmp]

2023-07-26 18:30:14.401006 vlan50 in 10.0.0.1 -> 10.0.0.2: icmp: echo request

2023-07-26 18:30:14.401027 vxlan.50 out 10.0.0.1 -> 10.0.0.2: icmp: echo request

2023-07-26 18:30:14.403638 vxlan.50 in 10.0.0.2 -> 10.0.0.1: icmp: echo reply

2023-07-26 18:30:14.403641 vlan50 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply

2023-07-26 18:30:14.403659 port2 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply

 

dia sys session filter src 10.0.0.1

dia sys session filter dst 10.0.0.2

dia sys session list

 

total session 0

 

  • Ping requests and replies between PC-1 and PC-2 are seen on Fortigate-1. Despite this, the session table does not display any active sessions. The absence of sessions is attributed to the fact that VXLAN (Virtual Extensible LAN) operates at Layer 2 of the OSI model, and firewall sessions are primarily designed to manage and inspect Layer 3 communication.
  • As VXLAN operates at Layer 2, the communication between PC-1 and PC-2 occurs at that level. Since the firewall sessions are primarily concerned with Layer 3 traffic, they do not track or manage the Layer 2 VXLAN communication. As a result, no sessions are visible in the session table.
  • In a firewall, sessions are created when traffic adheres to defined policies or security rules. However, in this specific case, because VXLAN is a Layer 2 virtualization technology, it doesn't trigger the creation of firewall sessions as they are primarily tailored for Layer 3 communication.
  • Note: A session in a firewall is created when traffic hits a policy.
  • Before proceeding with the configuration, consider the command 'set intra-switch policy implicit' within the software switch settings, which is set as the default.
  • The intra-switch 'implicit' policy could imply that the software switch allows unrestricted communication between all internal virtual interfaces (such as vlan50 and Vxlan50) by default. In other words, all traffic between virtual interfaces within the same switch would be permitted without any firewall policy.

 

Implement a traffic shaping policy for VxLAN 50 on Fortigate1 in (Head office). This will ensure that specific traffic related to the VxLAN 50 receives the desired level of priority when transmitted over the IPsec tunnel from Head Office to Branch.

 

 

Step 1: Set the 'intra-switch policy' to 'explicit' in a software switch.

Setting the intra-switch policy to explicit in the software switch implies that the switch will require an explicit firewall policy to govern communication between its internal interfaces, vlan50 and Vxlan50.

Note: Changing the intra-switch policy from implicit to explicit in the FortiGate CLI is not possible, as attempting to do so will result in the following error:

 

config system switch-interface

edit Vxlan50

set intra-switch-policy explicit

end

intra-switch-policy cannot be changed once set.

object set operator error, 5 discard the setting

Command fail. Return code 5

 

Therefore, remove both VLAN50 and Vxlan50 from the software switch interface. Once these interfaces are removed, proceed with deleting the software switch interface VLAN50.

 

majid23_1-1690821050728.png

 

 

Create a new software switch interface VLAN50 and Set intra-switch policy explicit. This can only be done through the CLI.

 

config sys switch-interface

edit "Vxlan50"

set vdom "root"

set member "vlan50" "vxlan.50"

set type switch

set intra-switch-policy explicit

set mac-ttl 300

set span disable

next

end

 

majid23_2-1690821050731.png

 

 

Step 2:- By switching to an explicit intra-switch policy, FortiGate enables configuring a firewall policy between VLAN50 and VXLAN50 interfaces.

 

majid23_3-1690821050734.png

 

Step 3: After configuring the firewall policy, now create a traffic shaper policy. Navigate to Policy & Objects -> Traffic Shaping.

  1. Create a traffic shaper.

majid23_4-1690821050735.png

 

  1. Create a Traffic shaper policy.

majid23_5-1690821050739.png

 

Network topology after traffic shaper implementation appears as follows:

 

majid23_6-1690821050743.png

 

Examine the network communication between PC-1 (10.0.0.1) and PC-2 (10.0.0.2), perform a packet capture using a sniffer and inspect the session tables on Fortigate-1. Below is a session seen between PC-1 and PC-2 on VXLAN 50 with the applied traffic shaper.

 

diag sniffer packet any "host 10.0.0.2 and icmp" 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[host 10.0.0.2 and icmp]

2023-07-27 23:03:32.301056 vlan50 in 10.0.0.1 -> 10.0.0.2: icmp: echo request

2023-07-27 23:03:32.301183 vxlan.50 out 10.0.0.1 -> 10.0.0.2: icmp: echo request

2023-07-27 23:03:32.303030 vxlan.50 in 10.0.0.2 -> 10.0.0.1: icmp: echo reply

2023-07-27 23:03:32.303037 vlan50 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply

2023-07-27 23:03:32.303038 port2 out 10.0.0.2 -> 10.0.0.1: icmp: echo reply

 

dia sys session filter src 10.0.0.1

dia sys session filter dst 10.0.0.2

dia sys session list

 

session info: proto=1 proto_state=00 duration=2 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3

origin-shaper=high-priority prio=2 guarantee 131072000Bps max 131072000Bps traffic 180Bps drops 0B

reply-shaper=high-priority prio=2 guarantee 131072000Bps max 131072000Bps traffic 180Bps drops 0B

per_ip_shaper=

class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0

state=may_dirty br os rs

statistic(bytes/packets/allow_err): org=180/3/1 reply=180/3/1 tuples=2

tx speed(Bps/kbps): 85/0 rx speed(Bps/kbps): 85/0

orgin->sink: org pre->post, reply pre->post dev=14->17/17->14 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.0.0.1:1->10.0.0.2:8(0.0.0.0:0)

hook=post dir=reply act=noop 10.0.0.2:1->10.0.0.1:0(0.0.0.0:0)

src_mac=50:00:00:05:00:00

misc=0 policy_id=3 pol_uuid_idx=14730 auth_info=0 chk_client_info=0 vd=0

serial=00000a76 tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x000100

no_ofld_reason:  npu-flag-off

total session 1

 

Note: Follow the above steps to apply traffic shapers for multiple Vxlans.

876
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.