Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II

VLAN Switch Mode with CLI on FGT 100D 5.4.1

Hi All,

 

TLDR;

  Anybody familiar with the "VLAN Switch Mode" that is supposedly accessible through CLI only for the FGT 100D?   A usable example or set of CLI commands would be great.

 

 

More Details:

 

I'm spending my weekend doing initial setup of a FortiGate 100D and 300D, to replace older (non-FortiGate) hardware at two locations, both of which have multiple managed switches with a number of vlans.  This is all with 5.4.1.  The two locations have an always-on vpn connection.  Everything is already up and running with the old hardware.

 

The 100D is going to the remote site, with only two small managed switches and a smaller number of vlans.

 

My initial plan for the 100D was to remove most of its physical ports from membership in the "lan" hard-switch interface, create appropriate vlan interfaces as children of the ports (multiple in some cases so it can be used as a trunk), and connect to the switches in exactly the same way.  However, it seemed a waste to use all those separate switch ports when the 100D had plenty itself...

 

I've scanned through the forums and found plenty of references telling me that a FortiGate's vlan interfaces can only send and received tagged packets, but I also ran into a few documents that specifically referred to the 100D and 200D and described a "VLAN Switch Mode", that seemed to imply that a hardware switch on the 100D or 200D could be set to have a particular vlan, but with an untagged trunk port.  This supposedly is doable only from CLI.

 

I've searched the following documents and posts, among others, but haven't found any method that works in 5.4.1 to change an existing switch with type hard-switch to type switch-vlan.  Similarly, attempting to create a new switch object with type switch-vlan also fails.  (I can post the attempts and failures if needed.)

 

Tech Note that describes VLAN Switch Mode for 5.4

  http://kb.fortinet.com/kb/documentLink.do?externalID=FD37588 

Ken Felix blog post the describes this, but seems to only be controlling a FortiSwitch

  http://socpuppet.blogspot.com/2015/01/fortigate-switch-controller.html

FortiOS 5.2 Forum Post regarding VLAN switch mode, with mention of a trunk

  https://forum.fortinet.com/tm.aspx?m=127058

 

Before I get to the point of exhaustively trying combinations and posting the many errors they generate, has anybody successfully set up a 100D or 200D with a switch of type switch-vlan?  Did it still force all switch ports to be vlan tagged, or did it allow untagged?  If it allowed untagged, please let me know the CLI commands you used.

 

Probably just chasing ghosts, but thought I'd check.

10 REPLIES 10
tanr
Valued Contributor II

It looks like 5.2.x handles the software switch a little differently than I've seen in 5.4.x, though it's been a number of months since I've worked with them.  Hope your transition to 5.4.x goes smoothly!