Description
This article describes the best practices for manually changing VLANs on managed switches.
Scope
FortiNAC version: 8.x, 9.x, F 7.x.
Solution
Manually changing VLANs on managed switches should always be done through the system Administration UI as opposed to directly on the switch itself.
For devices under enforcement, the Current VLAN value is updated when the system changes the VLAN of that port. If the current VLAN is changed manually via the CLI of the switch, there will be no knowledge of the change unless one of the following occurs:
- The Update VLAN or READ VLANs function is manually run.
- The system's management processes are restarted.
- VLANs are read during L2 poll under certain conditions (refer to related article below for details).
Because of this, inconsistent results can occur when it comes to VLAN switching if changes are not done through the UI.
Example:
- Administration UI Port View: Port 10 Current VLAN = 30 (Registration).
- From the switch CLI, port 10's VLAN is changed from 30 to 20. Result: Port View: Port 10 Current VLAN still displays 30 (Registration).
- Rogue host connects. Result: According to the system database, Port 10 already has VLAN 30 configured. Therefore, no attempt to change the port VLAN is made. The Rogue host remains in VLAN 20.
- From Model Configuration, READ VLANs is clicked under Network Access/VLANs. Result: Port View: Port 10 Current VLAN value updates to 20.
- Upon the next L2 poll or the host disconnects/reconnects, the system switches Port 10's VLAN to 30.
Workaround: If VLANs are changed via the switch CLI, force a re-read of the VLANs.
- Right-click on the modeled device in the topology, and select Network Access/VLANs.
- Select the READ VLANs button. The Port View will update accordingly.