Fortinet black logo

New Features

OpenStack — Network Service Header (NSH) Chaining Support

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:782911
Download PDF

OpenStack — Network Service Header (NSH) Chaining Support

This version provides NSH chaining support for virtual wire pair, TP mode networks. FortiOS receives and unwraps the NSH packets and re-encapsulates them before sending them out. The inner packet is processed by firewall policies.

NSH support in FortiGate is basically unwrapping the packet on Ingress and putting the NSH header back on before sending it out. Other parts of NSH aren't supported yet (SI is currently left unchanged).

There's no CLI/GUI change. The only change is to show ext_header=nsh in NSH session info when listing sessions.

Sample configuration

To configure virtual wire pair and firewall policy using the CLI:
config system virtual-wire-pair
    edit "test-vw"
        set member "port1" "mgmt2"
    next
end
config firewall policy
    edit 99
        set uuid 241710a0-3ac6-51e9-10e9-9dd3eb65e708
        set srcintf "mgmt2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

Sample results of configuring a wire pair and policy between port1 and mgmt2. Packets with NSH are processed and the session list shows ext_header=nsh.

A (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=10 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty br src-vis dst-vis f00
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.11:46739->172.16.200.55:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:23->172.16.200.11:46739(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:00:11:11:11:11  dst_mac=00:00:22:22:22:22
misc=0 policy_id=99 auth_info=0 chk_client_info=0 vd=1
serial=0000094d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x040001 no_offload
no_ofld_reason:  mac-host-check disabled-by-policy non-npu-intf
ext_header_type=nsh
total session 1

OpenStack — Network Service Header (NSH) Chaining Support

This version provides NSH chaining support for virtual wire pair, TP mode networks. FortiOS receives and unwraps the NSH packets and re-encapsulates them before sending them out. The inner packet is processed by firewall policies.

NSH support in FortiGate is basically unwrapping the packet on Ingress and putting the NSH header back on before sending it out. Other parts of NSH aren't supported yet (SI is currently left unchanged).

There's no CLI/GUI change. The only change is to show ext_header=nsh in NSH session info when listing sessions.

Sample configuration

To configure virtual wire pair and firewall policy using the CLI:
config system virtual-wire-pair
    edit "test-vw"
        set member "port1" "mgmt2"
    next
end
config firewall policy
    edit 99
        set uuid 241710a0-3ac6-51e9-10e9-9dd3eb65e708
        set srcintf "mgmt2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

Sample results of configuring a wire pair and policy between port1 and mgmt2. Packets with NSH are processed and the session list shows ext_header=nsh.

A (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=10 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log may_dirty br src-vis dst-vis f00
statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.200.11:46739->172.16.200.55:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.200.55:23->172.16.200.11:46739(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:00:11:11:11:11  dst_mac=00:00:22:22:22:22
misc=0 policy_id=99 auth_info=0 chk_client_info=0 vd=1
serial=0000094d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
npu_state=0x040001 no_offload
no_ofld_reason:  mac-host-check disabled-by-policy non-npu-intf
ext_header_type=nsh
total session 1