Description
This article describes how to configure FortiExtender (FEX) in VLAN mode on FortiGate.
Scope
For version v3.3 build452.
FortiExtender is directly connected to Port2 interface on FortiGate.
Solution
Why FortiExtender VLAN mode:
While using the FortiExtender-WAN type interface, all the traffic to/from FortiGate is encapsulated in the CAPWAP data channel, whereas for VLAN type interface, the traffic is sent/received on the VLAN interface.
Due to the absence of encapsulation overheads, VLAN mode delivers better speeds with the requirement that the VLAN interface be directly created on top of the port on which FortiExtender is connected to FortiGate.
- To begin with, ensure FortiExtender is running on latest FortiExtender - GA firmware version, FortiExtender firmware can be downloaded from Fortinet support portal: https://support.fortinet.com
- Enable 'fortiextender-vlan-mode' on FortiGate using below steps:
Note:
VLAN mode has to be explicitly enabled, as it is disabled by default on FortiGate, and that all the FortiExtender-WAN interfaces must be deleted before VLAN mode is enabled.
# config system global
(global)set fortiextender-vlan-mode enable
(global)end
Ensure that the VLAN interface is created based on the physical interface of the connected FortiExtender.
Refer Page #57: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/355957a5-4eb5-11ea-9384-005056...
Configuration:
FortiGate side configuration steps:
1) Create port2 interface & configure an IP address 172.20.30.1 with a DHCP server running on it and allow CAPWAP traffic.
2) Create a VLAN interface on top of port2 (any VLAN ID i.e. 123). Let's call it fextvlan. Make this interface type DHCP client.
3) The FortiExtender connected to port2 will get an IP from FortiGate i.e. 172.20.30.20
4) To Authorize FortiExtender on FortiGate GUI - Navigate to Network -> FortiExtender, and wait for the FortiExtender to be discovered by FortiGate and then Authorize FortiExtender by selecting the VLAN interface.
5) The FortiGate will send the VLAN ID to FortiExtender over CAPWAP and FortiExtender creates a VLAN interface automatically with VLAN ID 123. i.e. => 'nas1.123' or 'vid:123' ==> no special config needed.
6) Now when the FortiExtender modem is connected to the Internet, the FortiExtender runs a DHCP server on its VLAN interface i.e 'nas1.123'. And informs the FortiGate is up.
7) The FortiGate will get the control message over port2 .
8) The FortiGate will now bring up the 'fextvlan' and runs the ‘DHCP client’. The DHCP Discover is sent through VLAN 123 created on top of port2 and the FortiExtender will receive the request over VLAN 123 interface (nas1.123).
9) Now the FortiExtender VLAN interface on FortiGate gets an IP from the modem over VLAN only.
10) The idea is to make sure the VLANs are separated for data traffic from control traffic.
Screenshot 1: FortiGate with two interfaces for FortiExtender– LAN (Hardware Switch) & VLAN interface as shown below:
Screenshot2: FortiExtender GUI showing FortiExtender management and WAN IP address as shown below:
Screenshot 3: Forti Extender CLI showing automatically created VLAN interface with VLAN ID 123. i.e. 'nas1.123' or 'vid:123'
Screenshot 4: FortiExtender CLI showing extender status in vlan mode:
