Fortinet black logo

Administration Guide

Virtual wires

Copy Link
Copy Doc ID d887c3dd-ee67-11ec-bb32-fa163e15d75b:774775
Download PDF

Virtual wires

Some testing scenarios might require two ports to be wired 'back-to-back'. Instead of using a physical cable, you can configure a virtual wire between two ports. The virtual wire forwards traffic from one port to the other port with minimal filtering or modification of the packets.

Notes:

  • ACL mirroring is not supported.
  • You can select ports that are already ingress and egress mirror sources.
Using the GUI:
  1. Go to Switch > Virtual Wires.
  2. Select Add Virtual Wire to create a new virtual wire.
  3. Enter a name and select the ports for first member and second member.
  4. Select Add to save the changes.
Using the CLI:

Use the following commands to configure a virtual wire:

config switch virtual-wire

edit <virtual-wire-name>

set first-member <port-name>

set second-member <port-name>

set vlan <vlan-id>

next

end

Virtual wire ports set a special Tag Protocol Identifier (TPID) in the VLAN header. The default value is 0xdee5, a value that real network traffic never uses.

Use the following commands to configure a value for the TPID:

config switch global

set virtual-wire-tpid <hex value from 0x0001 to 0xFFFE>

end

Use the following command to display the virtual wire configuration:

diagnose switch physical-ports virtual-wire list
 
  port1(1) to port2(2) TPID: 0xdee5 VLAN: 4011
  port3(3) to port4(4) TPID: 0xdee5 VLAN: 4011
  port5(5) to port25(25) TPID: 0xdee5 VLAN: 4011
  port7(7) to port8(8) TPID: 0xdee5 VLAN: 4011

NOTE:

  • Ports have ingress and egress VLAN filtering disabled. All traffic (including VLAN headers) is passed unchanged to the peer. All egress traffic is untagged.
  • Ports have L2 learning disabled.
  • Ports have their egress limited to their peer and do no allow egress from any other ports.
  • The system uses TCAM to force forwarding from a port to its peer.
  • The TCAM prevents any copy-to-cpu or packet drops.

Virtual wires

Some testing scenarios might require two ports to be wired 'back-to-back'. Instead of using a physical cable, you can configure a virtual wire between two ports. The virtual wire forwards traffic from one port to the other port with minimal filtering or modification of the packets.

Notes:

  • ACL mirroring is not supported.
  • You can select ports that are already ingress and egress mirror sources.
Using the GUI:
  1. Go to Switch > Virtual Wires.
  2. Select Add Virtual Wire to create a new virtual wire.
  3. Enter a name and select the ports for first member and second member.
  4. Select Add to save the changes.
Using the CLI:

Use the following commands to configure a virtual wire:

config switch virtual-wire

edit <virtual-wire-name>

set first-member <port-name>

set second-member <port-name>

set vlan <vlan-id>

next

end

Virtual wire ports set a special Tag Protocol Identifier (TPID) in the VLAN header. The default value is 0xdee5, a value that real network traffic never uses.

Use the following commands to configure a value for the TPID:

config switch global

set virtual-wire-tpid <hex value from 0x0001 to 0xFFFE>

end

Use the following command to display the virtual wire configuration:

diagnose switch physical-ports virtual-wire list
 
  port1(1) to port2(2) TPID: 0xdee5 VLAN: 4011
  port3(3) to port4(4) TPID: 0xdee5 VLAN: 4011
  port5(5) to port25(25) TPID: 0xdee5 VLAN: 4011
  port7(7) to port8(8) TPID: 0xdee5 VLAN: 4011

NOTE:

  • Ports have ingress and egress VLAN filtering disabled. All traffic (including VLAN headers) is passed unchanged to the peer. All egress traffic is untagged.
  • Ports have L2 learning disabled.
  • Ports have their egress limited to their peer and do no allow egress from any other ports.
  • The system uses TCAM to force forwarding from a port to its peer.
  • The TCAM prevents any copy-to-cpu or packet drops.