Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syadav
Staff
Staff

Created on ‎09-25-2023 10:24 PM Edited on ‎09-25-2023 10:25 PM By Community Manager

Article Id 275908

Technical Tip: Use of Optional VLAN ID in Tunnel type Wireless SSID configuration

Description

 

This describes how to use Optional VLAN ID in Tunnel type SSID configuration.

 

Scope

 

FortiGate/FortiAP.

 

Solution

 

When using a Tunnel-Mode SSID, the FortiAP will encapsulate wireless traffic within a CAPWAP tunnel before sending it to the FortiGate WiFi controller for inspection and routing. While configuring a Tunnel type SSID, it gives an option to use an optional VLAN ID.

If there is a VLAN under the tunnel SSID interface, the Optional VLAN ID feature can be used to tag the traffic coming from the client for that specific VLAN.

 

Topology:

syadav_8-1695681605927.png

 

FortiGate manages the FortiSwitch using FortiLink, FortiAP is connected behind the FortiSwitch, and FortiGate on VLAN 11 (10.0.11.11) manages FortiAP (10.0.11.3).

 

syadav_9-1695681605928.png

 

FortiAP is broadcasting a Tunnel-type wireless SSID with an optional VLAN ID set to 15. On FortiGate, the Tunnel SSID interface has a VLAN ID 15 as shown below:

 

syadav_10-1695681605930.png

 

When the WiFi client connects to the Tunnel SSID, it will send the DHCP Discover packet that will be received by the FortiAP.

FortiAP will add an 802.1Q VLAN tag 15 (Optional VLAN ID) on the packet and encapsulate it in the CAPWAP packet.

FortiSwitch will then receive that CAPWAP packet and it will add the 802.1Q VLAN tag 11 while sending it out to the FortiGate on the FortiLink trunk.

 

syadav_11-1695681605940.png

 

Green represents the original packet sent by the connecting device, Yellow added data by FortiAP and Blue shows the data added by FortiSwitch.

Below is the actual DHCP Discover packet received on the FortiLink interface:

 

syadav_12-1695681605942.png

 

FortiGate’s FortiLink interface receives the CAPWAP packet with DHCP discover UDP IP packet encapsulated in it.

This packet is destined for the FortiGate WiFi Controller that resides on VLAN 11. Now the outermost 802.1Q VLAN tag is for VLAN 11, FortiGate will process it for VLAN 11.

 

Packet captured on VLAN 11 interface:

 

syadav_13-1695681605943.png

 

VLAN 11 received this packet without an 802.1Q VLAN tag 11, where it will be de-encapsulated and the DHCP Discover message will be sent to the tunnel SSID interface.

 

Packet captured on SSID Interface:

 

syadav_14-1695681605944.png

 

SSID interface received the DHCP Discover interface with an 802.1Q VLAN tag 15 (Optional VLAN). It will then send this packet to the destination interface VLAN 15.

 

Packet captured on VLAN 15:

 

syadav_15-1695681605944.png

 

After VLAN 15 receives, the packet it will send a DHCP offer to the client considering the DHCP server is enabled on the interface.

 

Optional VLAN ID with Tunnel Mode SSIDs allows administrators to bridge the Tunnel-mode wireless SSID with a Software Switch.

This enables wired and wireless users to share a common network segment.

1162
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.