Description
This article describes the different Switch interface types that can be configured on the FortiGate (Hardware, Software, and VLAN Switches), including differences in functionality, use-cases, and general setup.
Scope
FortiGate v6.2 and later.
Solution
Three types of Switch interfaces can be configured in FortiOS. However, take note that the availability of these options is dependent on the FortiGate model and the currently-installed firmware version (this is discussed further below):
Software Switch.
- Software Switch interfaces are a type of virtual interface that is implemented entirely in software (i.e., any traffic that flows through a Software Switch must be processed by the CPU). One major consequence of this is that NPU hardware-acceleration of traffic is not supported when passing through a Software Switch.
- This lack of hardware-acceleration support also means that Software Switch interfaces will see increasing CPU usage (especially softIRQ-related usage) as the volume of network traffic passing through it increases (both in terms of switched traffic and traffic routed to other interfaces on the FortiGate).
- However, one key advantage of Software Switches is their flexibility, as any type of interface may become a member of a Software Switch (for example, physical interfaces, VLAN, tunnel-mode wireless SSID, VXLAN/GRE/IPsec tunnel interfaces, etc).
- Additionally, Software Switches are supported on all FortiGate models, including FortiGate-VMs.
- Notably, Software Switches can be configured such that Firewall Policies are required to allow traffic between member interfaces. Refer to the following KB article for more information: Technical Tip: Software switch policy
- For additional information on Software Switches, refer to the following:
Hardware switch.
- Hardware Switch interfaces are a type of virtual switch interface that is based on underlying switching hardware present on the FortiGate (i.e., a hardware switching chip, often referred to as the Integrated Switch Fabric on the FortiGate, or ISF).
- One of the key benefits of using a Hardware Switch is that Layer 2 traffic can be switched in-hardware, which greatly increases switching performance while also reducing CPU utilization on the FortiGate substantially. Additionally, NPU hardware-acceleration of traffic is supported when passing through a Hardware Switch.
- However, one key drawback of Hardware Switch interfaces (when compared to the Software Switch) is reduced flexibility. For example, Hardware Switch interfaces may ONLY have physical interfaces as members (such as RJ-45 Ethernet interfaces and SFP/SFP+ interfaces), and the exact list of eligible interfaces varies on a per-model basis.
- For example, the FortiGate 600F and 601F fast path architecture does have an Integrated Switch Fabric that connects to most of its ports, but it also has a separate set of ultra low latency (ULL) SFP28 interfaces that are specifically not connected to this ISF (and so they would not be available as member interfaces for the Hardware Switch).
- Additionally, Hardware Switch interfaces are only supported on hardware FortiGate models that have an Integrated Switch Fabric chip (some hardware models did not include these ISFs). Examples of models that do not support Hardware Switch include FortiGate-VMs and the FortiGate 600E and 601E fast path architecture.
- Generally speaking, devices with Hardware Switch interfaces will have a single switch interface by default, typically labelled 'internal' or 'LAN'.
- For additional information on Software Switches, refer to the following:
- Notably, the above links include a list of devices that support Hardware Switch interfaces. However, it is also recommended to review the Hardware Acceleration documentation, as it will also include diagrams for most FortiGate hardware models (including which ones have Integrated Switch Fabrics for Hardware Switch support).
VLAN Switch.
- VLAN Switches are functionally identical to Hardware Switches (and are configured using the same CLI commands), but they have two additional features available: the ability to assign a VLAN tag to traffic crossing the VLAN Switch interface, as well as the ability to send traffic over a dedicated Ethernet Trunk interface (discussed further below).
- Key Note 1: VLAN Switches have all of the functionality of Hardware Switches, and so they can be used in all of the same places that a Hardware Switch can (i.e., treat them interchangeably when seen in documentation).
- This also means that VLAN Switches generally have the same restrictions as Hardware Switches in terms of model compatibility (i.e., requiring an Integrated Switch Fabric chip). However, VLAN Switches are further limited in that they are not necessarily available for all models.
- Known Issue 1: VLAN sub-interfaces do not seem to work correctly when using a VLAN Switch with a non-zero VLAN ID as the parent. However, no such issue occurs if the VLAN Switch is set with VLAN 0 (aka no tag).
- For example, if a VLAN Switch is created with VLAN 100 and a VLAN sub-interface is created on this VLAN switch with VLAN 200, then untagged traffic received on the VLAN Switch will be received successfully, but tagged traffic for VLAN 200 will not.
- To avoid this issue, the recommendation is to either: use VLAN Switches with VLAN 0 (default) when also using VLAN sub-interfaces on this switch interface, or use VLAN Switches with non-zero VLANs and do not use VLAN sub-interfaces.
- Known Issue 2: Changing the VLAN ID of a VLAN Switch can cause issues if there are VLAN sub-interfaces attached to this switch until either a reboot occurs or the member list of the VLAN Switch is updated (i.e., add or remove a member).
- Alternatively, switch the FortiGate from using VLAN Switches to Hardware Switches to avoid running into this issue.
- Key Note 2: FortiGates can use either VLAN Switches OR Hardware Switches (i.e., they cannot be used at the same time). Disabling VLAN Switches is supported, though it will result in Ethernet trunk being disabled on any interface where it is enabled, and VLAN settings will be removed before the VLAN Switches are converted to Hardware Switches:
FortiGate # config system global
FortiGate (global) # set virtual-switch-vlan ?
enable Enable virtual switch VLAN.
disable Disable virtual switch VLAN.
FortiGate (global) # set virtual-switch-vlan disable
This change will disable trunk on interfaces and remove VLAN from virtual switches.
If you don't want it to be changed, type "abort"
FortiGate (global) #
FGT61F-PJ01 (global) # set virtual-switch-vlan enable
This change will assign a non-zero VLAN id to virtual switches. <-- Note that this is typically set to VLAN ID 2.
If you don't want it to be changed, type "abort"
FortiGate (global) #
- It is recommended to check the FortiGate Administration Guide for a list of devices that support VLAN Switches in a given version of FortiOS firmware. For example, here are the entries for FortiOS v6.4.16 vs. FortiOS v7.6.3 (latest available at the time of this writing):
- Early on, VLAN Switch interfaces were only supported on FortiGates with >=16 physical network interfaces, but in FortiOS v6.2 and later, support was expanded over time to include most (if not all) E-series and F-series models and beyond.
- Notably, VLAN Switch interfaces are configured in the same way as Hardware Switches (under config system virtual-switch), but with small differences related to VLAN IDs and the separate Ethernet Trunk interface.
VLAN Switch Continued - Assigning VLANs and creating an Ethernet Trunk.
As mentioned above, VLAN Switches have two key differences compared to Hardware Switch interfaces. The first difference is that a VLAN ID may be assigned to the VLAN Switch:
config system virtual-switch
edit 'VLAN_Switch'
set physical-switch 'sw0'
set vlan 100
config port
edit 'internal3'
next
end
next
end
The second difference is that VLAN Switches can specifically be paired with interfaces that are set to the Dedicated as Ethernet Trunk Addressing mode. Notably, only individual interfaces may be set to Ethernet Trunk mode (i.e., not Link Aggregates or VLAN Switches):
config system interface
edit 'internal2'
set trunk enable
next
end
Notably, the VLAN ID is functionally equivalent to the native/access VLAN concept that exists for other network switches, and the Ethernet Trunk function matches with the general concept of a 'trunk port'. In effect, the FortiGate gains the ability to operate as a basic managed network switch with the ability to connect a trunk back to other downstream Layer 2 network switches.
The following are some example scenarios of how this works. In this example, assume that User_A is connected to the FortiGate directly via VLAN_Switch_1, User_B is connected on a different member port of the same VLAN_Switch_1, User_C is connected to a different VLAN_Switch_2, and User_D is connected to a downstream network switch that is connected to the FortiGate's Ethernet Trunk interface:
- User_A -> User_B - In this scenario, User_A sends untagged traffic to the VLAN Switch. This traffic is switched and sent out untagged to User_B's connected interface.
- User_A -> User_C - In this scenario, traffic needs to be routed since the VLAN Switches are two separate subnets. User_A sends untagged traffic to the FortiGate default gateway, and the FortiGate routes the traffic out to User_C as untagged traffic.
- User_A -> User_D - In this scenario, User_A sends untagged traffic to the VLAN Switch. The switch knows that User_D is reachable over the Ethernet Trunk, and so it sends VLAN-tagged/encapsulated traffic to the downstream switch (using the VLAN ID of VLAN_Switch_1). The Downstream switch receives the tagged traffic, de-encapsulates it, and then forwards it untagged to User_D.
Related article:
