Hi all, I'm experiencing some issues with a software switch configuration.
To elaborate, I have two sets of interfaces (configured as 802.3ad Aggregate) named INT1 and INT2, both as members of a software switch.
The software switch has the option of Intra-switch policy Explicit enabled.
Within the software switch, I have defined a VLAN (100). However, when attempting to ping from a PC on VLAN 100 connected to INT1 to another PC on VLAN 100 connected to INT2, the connection doesn't work.
I'm aware of the need to specify a policy to permit traffic between the PCs, but every kind of test I have made has yielded no result.
Does anyone have any ideas on how the policy should be set?
Thank you,
Hello @ASR ,
If you want to clients communicate with each other in the same vlan. You need to change intra-switch policy from explicit to implicit. In your configuration (explicit) you need to configure firewall policy like a src vlan100 dst vlan100 for allowing intra-vlan traffic.
You can find more information about the intra-switch policy in this link.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Software-switch-policy/ta-p/198381
Hi Ozkanaltas, thank you for your suggestion.
I've already added a policy from VLAN100 to VLAN100 with no restrictions on source, destination, and service, but it's not working.
Is there something else I need to do to enable this kind of traffic?
Thanks,
Created on 03-18-2024 09:15 AM Edited on 03-18-2024 09:15 AM
Hi @ASR ,
Which do you prefer using the scenario? All traffic is allowed by the switch or you want to create a policy for this traffic.
If you want all traffic allowed in the switch, you can change your switch-intra policy from explicit to implicit.
set intra-switch-policy implicit
For the second scenario, can you run a traffic sniffer on CLI? After that can you try to reach from one client to another client? Also, can you share output with us?
diagnose sniffer packet any 'host x.x.x.x and host x.x.x.x' 4 a (You need to change x.x.x.x to the client IP address)
Hi @ASR,
Are those 802.3ad Aggregate interfaces connected to FortiSwitches? You need to run packet sniffer to make sure traffic is reaching the FortiGate.
Regards,
Created on 03-19-2024 08:34 AM Edited on 03-19-2024 08:36 AM
Hi @hbac, yes, we have two 802.3ad aggregate interfaces as members of the software switch. VLANs are defined within the software switch.
@ozkanaltas The strange thing is, I don't see any traffic (whether permitted or denied) from the two hosts behind the aggregate ports.
On which interface should I expect to view traffic? VLAN level, software switch level, or interface aggregate level?
Thank you
@ASR,
Since traffic is going to the same subnet, the switch will not forward it to the default gateway by default. Are you using FortiSwitch?
Regards,
No, it's configured on a Fortigate 400F, and behind the aggregate interfaces are Cisco switches.
It's set up with two trunk interfaces that are 802.3ad aggregates and members of a software switch. In a single stack configuration, it should resemble the following:
However with explicit configuration, I can't see any packets being transmitted between PC1 and PC2, and vice versa.
Regards,
Hello @ASR ,
I think the problem is in the aggregate configuration.
Why did you need the aggregate configuration? I think you don't need aggregate configuration on Fortigate. Anyway, software switching will use the relevant cables as if they were a single cable.
Did you configure aggregate configuration on Switch also? If you don't, aggregate not work with one side configuration.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.