New Member

Question

FortiGate + FortiSwitch VLANs on both devices?

Forum|Forum|4 years ago
December 5, 2021
14 replies
44652 views

Hello,

first time poster here so have mercy :)

I am new to Fortinet but a long time security / networking administrator. I recently acquired a FortiGate 40F, FortiSwitch 108F and a FortiAP 221 to test it out and learn about Fortinet.

I am running into a stupid problem that I can't understand:

I would like to create VLANs on both FortiSwitch and FortiGate so that FortiGate is the gateway and DHCP-server on these VLAN networks. Furthermore, I would like to use the VLANs on the FortiSwitch so that I can use multiple ports on the switch on these VLANs, say port 1-4 has native VLAN accounting_VLAN and port 5-8 has VLAN printer_vlan, etc.

I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwtich ports?

From what I can see now, if using VLANs on the FortiSwitch, I can't use these VLANs on the FortiGate ports and use the FG ports for connecting devices to the VLANs that I use?

High Level overview of what I am trying to do:

1. Create VLAN accounting_VLAN(VLAN ID=10) and office_VLAN(VLAN ID=20) on FortiGate with IP-address and DHCP enabled etc. so that the Fortigate is the gateway for the VLAN network.

2. Use the accounting_VLAN on FortiGate ports so that devices can be plugged into the FortiGate and assigned to one of these VLANs.(if FG-40F, then less ports to use, if 200F then more ports to use)

3. Connect FortiSwtich to FortiGate using Fortlink.

4. Trunk the accounting_VLAN on the trunk to the FortiSwitch

5. Use the accounting_VLAN ports on the FortiSwitch, for example ports 1-8 on accounting_VLAN and ports 9-13 on office_VLAN.

However, this doesn't seem to be possible from my testing different configurations? I can create VLANs on the FortiSwtich and tag them as native VLANs on different ports, but I can't use those VLANs on the FortiGate for creating a firewall/gateway interface to those VLANs.

What am I missing?

Best regards,

Kim,

sachitdas_FTNT

Staff

Hi Kim,

From what I understand, you want to share a subnet between FGT and FSW ports.

You can create a software switch interface type - add FSW vlan and FGT ports as memeber of the software switch (make sure FSW vlan and FGT ports dont have any references) - Configure the software switch with ip address, dhcp, etc. and finally create policy for the software switch interface.

khalavakAuthor

New Member

Hello Sachit,

yes, but how? :) Adding software switch is a no-brainer and attaching the port as members. But then when it comes to VLANs it becomes tricky as the VLANs on the FSW cannot be used on the FGT ports directly, seems I have to create ANOTHER VLAN(not the same name, but the same VLAN ID) on the FGT side and then use that on the software switch side...and hopefully the VLAN ID being the same for the FGT and FSW will propagate over the Fortilink port to the FSW where the VLAN is tagged...

Do you have any configuration examples for this? CLI command or even screenshots?

khalavakAuthor

New Member

here is an example of a software switch setup with VLANs, both on FGT och FSW:

Whats confusing is that: 3 interfaces are needed: Software switch to collect the ports on the FGT, VLAN on the FGT to assign to the software switch and additionally the same VLAN on the FSW...all these interfaces can have IP-addresses, DHCP servers, etc. configured which is confusing. And then in firewall policy the software switch must be used as using the VLAN on FGT or VLAN on FSW does not work.

Screenshot 2021-12-06 at 14.54.26.png

khalavakAuthor

New Member

Here is another try to set this up, see screenshot.

However, in this setup it works as long as I connect to port 1-3 on the FGT but if I connect to a port on the FSW where there is another VLAN used with the same VLAN ID as Native VLAN, it does not work and the the host connected on the FSW doesn't get DHCP and has no access to the Internet...so the link between FGT and FSW does not propagate the VLAN domain between FGT and FSW...

Screenshot 2021-12-06 at 15.37.33.png

khalavakAuthor

New Member

I just can't get the FortiGate VLANs and the FortiSwitch VLANs to work together.

The FortiSwitch VLANs can't be used on the ports in the FortiGate and the VLANs on the FortiGate can't be used on the FortiSwitch. Creating a separate VLAN with the same VLAN ID on the FortiGate doesn't "bridge" the VLANs so that they work together, in my example here I have created a VLAN interface "CLIENT_FGT" with the same VLAN ID 10 as CLIENT VLAN that exists on the FortiSwitch. In this example I configured IP + DHCP Server on the FortiSwitch and that works ok and any devices connected to the switch has the access I define in policies. But if I try to add any FortiGate physical ports to the same VLAN by creating a software/hardware switch and then adding a VLAN with the same VLAN ID(can't use the CLIENT VLAN on the FGT unfortunately, have to create a new one with a different name and same VLAN ID...)

Should I just give up or can this work at all?????

Screenshot 2021-12-06 at 16.15.46.png

sachitdas_FTNT

Staff

Hi,

Please check if this matches your requirement.

Requirement: Configure a vlan/subet so that clients connecting to FSW port, FGT port should get IP from that VLAN.

Refer the below example/configuration:

Step1:- Create a vlan on FSW (Wifi & switch controller -> Fortiswitch Vlans), don’t give any IP address.

Interface is showing as port4 because it’s the Fortilink interface (dedicated to FSW)

Give vlan id for eg . 100.

<Don’t map the VLAN to any FSW port before step2.>

Step2:- Create a Software Switch Interface on FGT (Network -> Interfaces -> Create new interface -> select interface type as software switch -> and map the FSW vlan100 and FGT physical port as interface members)

In below example suppose we want client connecting to port2 of FGT should get ip from 100.100.100.x subnet.

Give IP address and netmask, enable DHCP server on FGT OR if its external DHCP server, configure the same.

Step3:- Map the vlan100 to any one of the FSW ports:

Step4: Connect a client to FSW port1 and FGT port2 and client will get ip address from vlan100

khalavakAuthor

New Member

Hello, thanks for the detailed instructions, but here is why it fails for me on my FGT-40F:

In step 2, after creating the VLAN on the FortiSwitch(Wifi & switch controller -> Fortiswitch Vlans) and then proceeding to create a Software Switch Interface on the FGT, I can only add physical ports to the software switch, not any VLANs and definitely not VLANs from the FortiSwitch. The only way to get a VLAN ID involved in the config is to create a new VLAN and then add the software switch to that VLAN, not the other way around adding the VLAN to the Software Switch...??? WTF? :) I am using latest FortiOS 7.0.2 if that matters?

Screenshot 2021-12-06 at 17.49.31.png Screenshot 2021-12-06 at 17.51.18.png Screenshot 2021-12-06 at 17.50.59.png

Radovan

Visitor III

hi, did you actually get it to work? Having the same issue and cannot figure it out...

thx

sachitdas_FTNT

Staff

Hi,

As per my understanding when vlan has references for eg if its already mapped to switchports or anywhere else, you wont be able to add the vlan as member to software switch.

khalavakAuthor

New Member

OK...well in this case the VLAN is not mapped to any switch ports, except the Fortilink port on which the VLAN is automatically tagged on...so not sure what you mean by that.

Is this a GUI issue? Should I try CLI instead?

khalavakAuthor

New Member

Update:

When creating a FSW VLAN the "Create address object matching subnet" was checked by default. So I tested to remove the object that was automatically created and then the VLAN "CLIENT" was available in the Software switch. Quite weird experience and GUI logic to be honest, doesn't make it easy for admins to configure FGT and FSW devices this way :(

Hope this helps for all other people out there trying to do this pretty simple and normal setup on a Fortigate and Fortiswitch. ;)

Thanks for your help and insight here @sachitdas_FTNT !

Screenshot 2021-12-06 at 19.48.06.png Screenshot 2021-12-06 at 19.47.57.png

Toshi_Esumi

SuperUser

From FGT's view (or config), Fortilink is one of hard-switches. You can see it in CLI under "config system virtual-switch". When a VLAN is in a hard-switch, the same VLAN can not be a member of other hard-switch or soft-switch.

boneyard

Valued Contributor

@khalavak wrote:

I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwitch ports?

perhaps an annoying question, but why?

i personally just say it isn't possible, even though im not 100% sure. once you go FortiSwitch you use the FortiSwitch and don't mix and match VLANs with the FortiGate for access.

khalavakAuthor

New Member

Why?

Well, now I have a FortiGate 40F so I don't loose too many ports, but if I get a bigger FortiGate with more ports, those ports can become virtually unusable when using FortiGate + FortiSwitch and that just feels wrong and stupid if i can't be done. :(

boneyard

Valued Contributor

yeah ok, i get your reasoning. Fortinet seems to be moving away from the FortiGate models with lots of interface in general is my observation.

and sure you waste some, but in general i don't see it as that much of an issue. i do understand your point, but i would accept just provide enough FortiSwitches for the access ports and build a large enough link aggregate between the FortiGate and the switches.