Created on 10-05-2017 04:04 PM Edited on 09-24-2023 02:26 PM By Nishtha_Baria
Description
This article describes how in a normal operation, FortiGate as a main gateway has to deliver dynamic IP addressing to all users who want to have access for Networking services, but this scenario might change depending on network requirements and capabilities.
Wireless solutions for IoT and BYOD
FortiGate works as a wireless controller managing several FortiAPs, functioning as a DHCP server for end users. However, when a centralised DHCP service is located remotely configuration changes need to be made on FortiSwitches (or 3rd party switches) where DHCP assignment is needed to be propagated by FortiAPs,
Scope
All FortiGate units function as a Wireless Controller.
Solution
1. Using an internal software switch the port internal1 is connected to FortiSwitch
3. Once a Dedicated FortiLink is configured, FortiGate will be able to discover a FortiSwitch (if it is connected to a default FortiLink to FortiSwitch side).
4. Create VLANs interfaces on FortiGate to bind them to FortiSwitch and distribute each DHCP server traffic. It will be VLAN 10 and 20.After VLANs are created, the view of VLAN interfaces over internal1 port is as follow:
5. FortiAPs need to be connected to FortiSwitch or on a Native VLAN to FortiGate to allow the FortiAPs to reach FortiGate controller by CAPWAP protocol. This interface is automatically created, it is named “vsw.internal1”, set an IP address segment to reach FortiAP by CAPWAP protocol.
Note : Check Administrative access HTTP(S), PING, SSH to make some troubleshooting over FortiAPs. It is important to check CAPWAP protocol to register and send FortiAP configurations.
6. Then, FortiGate will be able to reach FortiAPs over vsw.internal1 interface. Make sure to give authorization to start working on them.
7. Attach VLANs to FortiSwitch. Go to “WiFi & Switch Controller” > “FortiSwitch Ports” and allow VLANs on ports destined to FortiAP
8. Configure an SSID for each Service VLAN. Go to “WiFi & Switch Controller” > “SSID” and click on “Create New (SSID)”, This will be a bridge traffic as it comes from the other device.
9. Create FortiAP profile to attach the SSID previously created.
Note: The same configuration has to be applied on Radio2 selecting the specified SSID for VLAN 10 or 20
10. Bind previous profiles to each registered FortiAP. Go to to “WiFi & Switch Controller > Managed FortiAPs”. Select FortiAP and set FortiAP profile to announce the SSID.
After being provisioned each FortiAP, they will be rebooted to get new configuration over CAPWAP tunnel.
The following shows the final configuration:
11. Now configure the DHCP servers to the connected ports.
Note : By default FortiSwitch and some 3rd party vendors have DHCP snooping enabled. This configuration blocks DHCP request from untrusted ports, in this way switch is allowing DHCP notifications from original sources.
To Permit these DHCP packets to reach end devices on both VLANs, disable DHCP Snooping on port1 and port2 in FortiSwitch. Run the following commands:
config switch vlan
edit 1
set private-vlan disable
set description ''
set igmp-snooping enable
set dhcp-snooping disableset dhcp-snooping-verify-mac disable
config switch vlan
set dhcp-snooping-option82 disable
next
edit 1
set private-vlan disable
set description ''
set igmp-snooping enable
set dhcp-snooping disable
set dhcp-snooping-verify-mac disable
set dhcp-snooping-option82 disable
next
Once DHCP snooping is disabled, DHCP notifications can pass trough FortiSwitch to end users and reach services.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.