Reset the VLAN DEI bit when passing through a FortiGate in NAT mode 6.4.9
When a FortiGate is in NAT mode, a VLAN tag with a Drop Eligible Indicator (DEI, formerly CFI or Canonical Format Indicator) bit set is reset to 0 after passing through the FortiGate. In transparent mode or when passing through a virtual wire pair, the DEI bit is not changed.
Topology
Example 1
In this example, when there incoming traffic coming to port3, its VLAN DEI is 1. When traffic egresses on port4, the DEI bit is reset to 0.
To verify the DEI bits:
- Sniff the traffic on port3:
# diagnose sniffer packet port3 "" 6 129.698250 port3 -- 802.1Q vlan#1105 P7 0x0000 704c a553 1954 0010 9411 0001 8100 f451 pL.S.T.........Q 0x0010 0800 45c0 006a 0006 0000 ff11 b4b6 0101 ..E..j.......... 0x0020 0102 0202 0202 0400 0400 0056 b4be 0000 ...........V.... 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060 0000 0000 0000 0000 9313 aa44 52c1 90e3 ...........DR... 0x0070 d1ec dcb0 6c0b 4301 84cc 3909 ....l.C...9.
- Sniff the traffic on port4:
# diagnose sniffer packet port4 "" 6 42.935025 port4 -- 802.1Q vlan#1105 P7 0x0000 0010 9422 0002 704c a553 1955 8100 e451 ..."..pL.S.U...Q 0x0010 0800 45c0 006a 0008 0000 fe11 b5b4 0101 ..E..j.......... 0x0020 0102 0202 0202 0400 0400 0056 852a 0000 ...........V.*.. 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060 0000 0000 0000 0000 91f0 161d e232 159c .............2.. 0x0070 4649 d361 e01b 89a2 3e48 0a83 FI.a....>H..
The DEI changed from f451 to e451, so it was cleared and reset to 0.
Example 2
In this example, when there incoming traffic coming to port3, its VLAN DEI is 0. The egress traffic on port4 still keeps the DEI bit as 0.
To verify the DEI bits:
- Sniff the traffic on port3:
# diagnose sniffer packet port3 "" 6 194.457945 port3 -- 802.1Q vlan#1105 P7 0x0000 704c a553 1954 0010 9411 0001 8100 e451 pL.S.T.........Q 0x0010 0800 45c0 006a 0008 0000 ff11 b4b4 0101 ..E..j.......... 0x0020 0102 0202 0202 0400 0400 0056 852a 0000 ...........V.*.. 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060 0000 0000 0000 0000 88a4 7d05 c787 2161 ..........}...!a 0x0070 8abf 88c9 496f 635f 90b4 2c72 ....Ioc_..,r
- Sniff the traffic on port4:
# diagnose sniffer packet port4 "" 6 192.457951 port4 -- 802.1Q vlan#1105 P7 0x0000 0010 9422 0002 704c a553 1955 8100 e451 ..."..pL.S.U...Q 0x0010 0800 45c0 006a 0008 0000 fe11 b5b4 0101 ..E..j.......... 0x0020 0102 0202 0202 0400 0400 0056 852a 0000 ...........V.*.. 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060 0000 0000 0000 0000 88a4 7d05 c787 2161 ..........}...!a 0x0070 8abf 88c9 496f 635f 90b4 2c72 ....Ioc_..,r
The DEI is the same (e451), so it is not cleared and remains as 0.