Skip to main content
BusinessUser
BusinessUser
Explorer
April 26, 2023
Question

How To Configure "Hardware Switch" As Vlan with "Access Port"

  • April 26, 2023
  • 4 replies
  • 8669 views

The fortigate switch has multiple ports in the "hardware switch".

I assume that it is a switch virtual interface.

I read that it is a trunk port by default.

How do I change these settings so that it is an access port for the 2 interfaces instead? 

4 replies

ede_pfau
SuperUser
ede_pfau
SuperUser
April 26, 2023

Hardware switch ports are no different from ordinary physical ports in that respect. That is, if you use the port "as is", it's untagged and not part of a VLAN. If you create a VLAN with the switch as the base port, it will tag the traffic with the specified VLAN ID.

 

Screenshot 2023-04-26 124641.jpg

BusinessUser
BusinessUserAuthor
Explorer
April 26, 2023

"As it is" does it mean using a default vlan of 1?

Is using a vlan of 1 same as "as it is"?

 

I am encountering a situation in which there is a loop because i have 2 interfaces on "internal".

What can i do to resolve this?

Do you have layer 2 portchannels in fortigate? 

PaulRoberts
PaulRoberts
New Member
April 26, 2023

More or less.  It's something that really commonly throws people, but VLAN 1 is not actually tagged.  Once you're doing VLANs typically the most sensible thing to do is start making all the ports on your switch bind to a specific VLAN and only allow 1 to be present on the ports connecting switches to other switches or any devices where LLDP and STP should still do their jobs to minimize mayhem and confusion.  Basically, VLAN 1 should become a "human free zone" and everything that isn't switching equipment should be talking inside different VLANs.

If you're trunking (where multiple VLANs share the same segment because they're all encapsulated) your ports and including VLAN 1 in the list, that's probably where things are going wrong because traffic is being allowed to freely go from other VLANs to VLAN1, which then goes pretty much everywhere.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 26, 2023

Unlike Cisco switches, if you create a new interface on an FGT as VLAN and set vlanid 1 like below, it's a tagged interface. Only the parent interface, in your case "internal", is untagged. The hard-switch doesn't support "native VLAN" either. The FortiSwitch(FSW) or VLAN switch with most of "F"-series FGTs support the native VLAN.

 

config system interface

  edit "VLAN1"

    set vdom root

    --<snip>--

    set type vlan

    set interface "internal"

    set vlanid 1

  next

end

 

Toshi

   

RachelGomez123
RachelGomez123
New Member
April 27, 2023

To configure a hardware switch as a VLAN with an access port, you can follow these general steps:

Identify the VLANs you want to create: Determine the number of VLANs you need and their respective VLAN IDs.

Configure the switch ports: Assign the access port to the VLAN you want. You can do this using the switch's command-line interface (CLI) or web-based interface.

Configure the VLANs: Define the VLANs you want to create on the switch. You can do this using the switch's CLI or web-based interface.

Assign ports to the VLANs: Assign the access ports to the appropriate VLANs using the switch's CLI or web-based interface.

 

Regards,

Rachel Gomez

BusinessUser
BusinessUserAuthor
Explorer
April 27, 2023

Will the VLANs be able to route to the outside WAN interface?

 

Also I read the documentation but I cant tell the difference between hardware switch and software switch. 

gfleming
Staff
gfleming
Staff
April 27, 2023

There is no functional difference between a hardware switch and a software switch.

 

A hardware switch is a collection of ports which are physically bound by a switching fabric on the firewall. This allows the ports to be bridged together and forward traffic with no impact on the CPU.

 

A software switch is a bridge that allows any and all ports and port types to be bridged together in software. This results in a high load on the CPU.

sw2090
SuperUser
sw2090
SuperUser
April 27, 2023

that is what you would do on a Hardware switch. The FortiGate Hardwareswitch does not support this.

You can attach a virtual vlan interface to the switch interface only. This means traffic coming in on any port that is member of the switch and is tagged with that vid will hit the vlan-interface and vice versa. Also FortiOS does not know "untagged" (i.e. if no or no known vid tag it with that one).

You cannot set that per port on a hardware switch on a FortiGate.

 

Terms & ConditionsAccessibility statement