DescriptionThis article describes how to allow STP packets on the internal interfaces on a FortiGate 92D or FortiWiFi 92D. By default this is set to not allowed.
ScopeFortiGate 92D, FortiWiFi 92D
v5.4.1 onwards
SolutionEarlier, with the use of ports 1 through 14, the following behavior could be observed:
- PPPoE failing, HA failing to form.
- IPv6 packets being dropped.
- FortiSwitch devices failing to be discovered.
- Spanning tree loops may result depending on the network topology.
These issues have been improved in FortiOS 5.4.1, but with some side effects with the introduction of a new command, which is enabled by default:
#config global
set hw-switch-ether-filter <enable/disable>
When the command is enabled:
1.) ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed.
2.) BPDUs are dropped and therefore no STP loop results.
3.) PPPoE packets are dropped.
4.) IPv6 packets are dropped.
5.) FortiSwitch devices are not discovered.
6.) HA may fail to form depending the network topology.
When command is disabled :
All packet types are allowed including STP.
For more information please refer to theFortiOS v5.4.1 release notes.