Skip to main content
tanr
tanr
New Member
July 31, 2016
Question

VLAN Switch Mode with CLI on FGT 100D 5.4.1

  • July 31, 2016
  • 1 reply
  • 23580 views

Hi All,

 

TLDR;

  Anybody familiar with the "VLAN Switch Mode" that is supposedly accessible through CLI only for the FGT 100D?   A usable example or set of CLI commands would be great.

 

 

More Details:

 

I'm spending my weekend doing initial setup of a FortiGate 100D and 300D, to replace older (non-FortiGate) hardware at two locations, both of which have multiple managed switches with a number of vlans.  This is all with 5.4.1.  The two locations have an always-on vpn connection.  Everything is already up and running with the old hardware.

 

The 100D is going to the remote site, with only two small managed switches and a smaller number of vlans.

 

My initial plan for the 100D was to remove most of its physical ports from membership in the "lan" hard-switch interface, create appropriate vlan interfaces as children of the ports (multiple in some cases so it can be used as a trunk), and connect to the switches in exactly the same way.  However, it seemed a waste to use all those separate switch ports when the 100D had plenty itself...

 

I've scanned through the forums and found plenty of references telling me that a FortiGate's vlan interfaces can only send and received tagged packets, but I also ran into a few documents that specifically referred to the 100D and 200D and described a "VLAN Switch Mode", that seemed to imply that a hardware switch on the 100D or 200D could be set to have a particular vlan, but with an untagged trunk port.  This supposedly is doable only from CLI.

 

I've searched the following documents and posts, among others, but haven't found any method that works in 5.4.1 to change an existing switch with type hard-switch to type switch-vlan.  Similarly, attempting to create a new switch object with type switch-vlan also fails.  (I can post the attempts and failures if needed.)

 

Tech Note that describes VLAN Switch Mode for 5.4

  http://kb.fortinet.com/kb/documentLink.do?externalID=FD37588 

Ken Felix blog post the describes this, but seems to only be controlling a FortiSwitch

  http://socpuppet.blogspot.com/2015/01/fortigate-switch-controller.html

FortiOS 5.2 Forum Post regarding VLAN switch mode, with mention of a trunk

  https://forum.fortinet.com/tm.aspx?m=127058

 

Before I get to the point of exhaustively trying combinations and posting the many errors they generate, has anybody successfully set up a 100D or 200D with a switch of type switch-vlan?  Did it still force all switch ports to be vlan tagged, or did it allow untagged?  If it allowed untagged, please let me know the CLI commands you used.

 

Probably just chasing ghosts, but thought I'd check.

1 reply

nswetland
nswetland
New Member
August 2, 2016

I would like to know more about this, too..   I look at this link: http://kb.fortinet.com/kb/documentLink.do?externalID=FD37588 but it doesn't really tell you what they are used for exactly.

 

I also read through what others have suggested here: http://cookbook.fortinet.com/redundant-architecture/ about the vlan-switch configuration, but again, it didn't really seem to explain what its for.

 

The primary things I am trying to figure out is creating trunk ports that I can send over the POE ports to my Access Points, since I have SSIDs based on VLAN tags...    But I also want the same VLANs to have a trunk to the physical ports.   In an ASA it was as simple as "switchport trunk allowed VLAN X,Y,Z" and then "switchport mode trunk" on the ethernet interfaces...    Is this what Switch-Vlan is for?

tanr
tanrAuthor
New Member
August 2, 2016

I think that cookbook article is only valid for 5.2.x.  It refers to system>global>internal-switch-mode and config>system>global>virtual-switch-vlan, neither of which exist in 5.4.x.

 

With the FGT you can create multiple tagged VLAN interfaces on top of a single physical interface, creating a trunk port that is restricted to just those VLANs.  Your switch and AP need to be able to handle tagged packets, though.

From the docs: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-system-administration-54/VLANs/VLANs%20in%20NAT%20mode.htm

 

If you're generating VLAN ID's dynamically at the AP, that's a whole different problem, though.

nswetland
nswetland
New Member
August 2, 2016

Thanks for the reply.

 

So, I am basically going to create, say VLAN 10,20,30 underneath port 16?

Say VLAN10 is my native VLAN, Do I need to assign IPs to the VLANs, and leave port16 at 0.0.0.0 and then all the devices behind that use their specific VLAN ip as their gateway?  

e.g.

PORT16:  IP = 0.0.0.0/24

 

VLAN 10 = 10.0.10.254/21

VLAN 20  = 10.0.20.254/24

VLAN 30 = 10.0.20.254/24

 

And, then if I want to also have wired clients on, say port2 that goes into my workstation switch...  I want to trunk VLAN 10,20,30 on that as well...  But say I apply VLAN 10 to port2, I try and apply 10.0.10.253/21 for the IP on VLAN10, it conflicts with Port16-VLAN10...  Do I leave the IP address blank for each iteration of the VLAN past the first one, and then just still point all the client GWs to the original definition (in my example, where I defined it on Port16)?

 

I am used to being able to just Create a VLAN interface with an ASA, and apply it to any number of physical interfaces I want, and the VLAN just references the original VLAN interface definition...  

I try to look for documentation on this, but it seems they always want to refer back to a FortiSwitch (not going to happen), or use different terminology or something...

 

It is very frustrating that we cant define VLANs and then attach them easily to the interfaces, and once we define a VLAN, if you need to make a change to it, you basically have to delete the one you made, and re-create it with your changes...  Those seem like pretty common features someone would want.

 

Have you made any headway with your original question?  What purpose is this VLAN Switch Mode option?  I ran into this thread when I was trying to figure out my problem, thinking it was a feature that I could b use...

Terms & ConditionsAccessibility statement