New Member

Question

VLAN traffic switching

Forum|Forum|11 years ago
August 26, 2014
10 replies
13435 views

I' ve just converted my home office network from a competitor' s product (it was blue and had a bridge logo on it) to a FortiWifi-60D. In converting from the other network layout to the new FortiWifi, I am having trouble with my VLAN configuration. My layout has the FortiWifi connected via VLAN trunk to a distribution switch with several VLANs. The FortiWifi is configured in with " set internal-switch-mode interface" . I have the FortiWifi configured so that the VLAN trunking is working just fine to the switch, but I want to have some of the VLANs available on local internal interface ports on the FortiWifi. I have the VLAN trunk set up so that VLAN 1 is untagged, and VLANs 250-254 are tagged. The FortiWifi is configured with IP addresses 172.16.x.1, where the x is the VLAN ID. The trunk is connected internal1. I' d like to connect hosts to the other internal ports to those various VLANs, but I can' t seem to figure out how to set up a port for switching based on a VLAN tag from another port. I hope this is possible, because it was quite simple to set up with the competing product I used previously. Thanks!

emnoc

New Member

I' d like to connect hosts to the other internal ports to those various VLANs, but I can' t seem to figure out how to set up a port for switching based on a VLAN tag from another port.

You lost me on this part. Are you trying to connect the hosts to internal2 3 4 5 6 on the FWF60D? and in vlans 250-254 ? of the same 172.16.x.1 networks? If yes than I don' t think you can' t do that? those unique ports are not switching ports. If your trying to connect this to the local-distribution switch, just craft the appropiate vlans for the switch port that you want the hosts in. fwiw,a diagram would be nice and clear up what your trying to describe and express. Nice getting away from the cisco device with a bridge logo. I' m betting it' s a ASA5505 and on that model, the ports are L2-switchports but on a Fortigate they are not in that same fashion. The only other models that work this way btw are juniper SRXs. Where you can take like or un-like ports and install them into a layer2 switchport configuration and group. Why fortinet has not went that way, and other a similar feature is strange.

JHamiltonAuthor

New Member

Are you trying to connect the hosts to internal2 3 4 5 6 on the FWF60D? and in vlans 250-254 ? of the same 172.16.x.1 networks? If yes than I don' t think you can' t do that? those unique ports are not switching ports.

Yes, I think this is what I' m trying to say. So far, from everything I' ve found, this doesn' t seem possible on the FWF60D, but I wanted to make sure. Here' s a very rough sketch of what I' m trying to do.

  _________________________________  |           FWF60D              |  --1---2---3---4---5---6---7---8--    |       |       |           |   VLAN   PC on     PC on       PC on   trunk  VLAN250   VLAN251     VLAN1    |  __|___________________  |         Switch     |  ----------------------   |        |         |  PC on    PC on    PC on  VLAN250  VLAN251  VLAN1

The VLAN trunking is working fine, and I can have PCs connected to the various FWF60D ports connected to the untagged VLAN from the VLAN trunk (VLAN1 in the diagram). Anyway, it sounds like I can' t do this, so I may have to rearrange my switches to accommodate the FortiGate' s shortcomings in this area. A small price to pay for the overall improvement over the 5505.

Warren_Olson_FTNT

Staff

Would it be possible to just not include say ports 3, 5, and 8(in your drawing) in the switch you created? You can specify which ports you want to be a part of the software switch when creating it via gui(or cli for that matter).

emnoc

New Member

But can he make 3+ software defined switches? That' s the million dollar question. On a cisco ASA5505 and possible a SRX,this should be doable minus the restrictions of the number of vlan, interfaces and ports.

JHamiltonAuthor

New Member

You can specify which ports you want to be a part of the software switch when creating it via gui(or cli for that matter).

The issue isn' t including the ports in a software switch. The problem is having frames arrive on an 802.1q VLAN trunk with VLAN tags in the header that should get switched to other ports and have the VLAN tags removed, as is appropriate for an access (vs trunk) port on the switch. This seems to be a fundamental design difference between the FortiGate and the ASA with respect to the internal switching capabilities.

lightmoon1992

New Member

@JHamilton if i understood your sketch right, all what you need to do it to make three VLANs reaching the FortiGate, right? if so, all what you need to do is to define trunk on the FortiGare, on top of which you create three VLAN interfaces with appropriate VLAN IDs and network IDs. let me know if i miss part of your question Mohammad

JHamiltonAuthor

New Member

@lightmoon1992 A host on the untagged VLAN would work just fine, but hosts on the other VLANs wouldn' t understand the traffic because of the VLAN tag in the header. Even if they managed to overlook the VLAN tag (not that Ethernet drivers just " overlook" bytes they don' t understand), unless they applied the correct VLAN tag to the outbound traffic, the FortiGate wouldn' t put the frames on the correct VLAN. I might have some machines with NIC drivers that support VLAN tagging, but requiring the host to cooperate in keeping its traffic on the right VLAN would seem to defeat the purpose of segregating the traffic to begin with. In any case, excess packets would be sent to all of the hosts (any broadcast or multicast frames, plus anything for destinations not yet in the MAC address table), adding unnecessary traffic to those links. Plus, it' s not an elegant design.

MikePruett

New Member

Make the trunk port a member of all vlans....assign the physical ports the machiens plug into part of the appropriate vlan..profit.

JHamiltonAuthor

New Member

@MikePruett Thanks for the summary of exactly what I want to do. Do you have any suggestions on how to accomplish this feat?

baitken

New Member

I just had this exact situation come up. The client is using a voice VLAN routed at the FortiGate to the data VLAN. The FortiGate is configured with the internal1 interface on the data VLAN and an additional tagged VLAN interface for the voice VLAN. There is now a requirement to plug a host (PBX system) into the FortiGate directly on the voice VLAN and due to physical restrictions it would be difficult to plug into an access port on a switch. On my test system I have created a software switch between the voice VLAN and an unused port, which the FG did not complain about. In theory I should be able to plug a host directly into a port and it will be able to communicate through the soft switch to the voice VLAN. I will test in the next few days.

emnoc

New Member

Keep us posted but I don' t think that will work as intended. The integral switch in a ROUTE-NAT mode doesn' t switch vlan across ports in the same vlans. It' s not a layer2 switch in the true sense or wording of layer2.

On my test system I have created a software switch between the voice VLAN and an unused port, which the FG did not complain about.

Can you dump the config so we can get an ideal of what you mean?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded