Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
train_wreck
New Contributor III

30E Hardware Switch - can't have port in "access" VLAN mode?

New to Fortigate, have a 30E running latest 5.6 firmware. I am trying to understand the process of creating VLANs on the device.

 

It appears to me that, from the hardware switch containing LAN ports 1-4, you can create VLANs with VLAN IDs and unique router IP addresses for each VLAN. Then you can connect to the "trunk" port of another switch to any of the 4 ports and configure matching VLAN IDs on the separate switch. This works as far as I can tell.

 

But how would I configure a port on the Fortigate to be in "access" VLAN mode? For example, I create VLANs 10, 20, and 30 under the Hardware Switch. I don't see a way to have port 1 assigned to VLAN 10, port 2 to VLAN 20, port 3 to VLAN 30, and then maybe port 4 would be a trunk of all VLANs to a separate switch. If I remove a port from the hardware switch, I don't see any VLAN settings at all in the GUI config (no option for native VLAN, default VLAN, or anything at all.)

 

So is this scenario not possible on the 30E?

1 Solution
Toshi_Esumi
SuperUser
SuperUser

As far as I know FortiGate's VLAN architecture doesn't support access ports.

View solution in original post

8 REPLIES 8
Toshi_Esumi
SuperUser
SuperUser

As far as I know FortiGate's VLAN architecture doesn't support access ports.

Toshi_Esumi

And one vlan subinterface can be attached to one parent interface only. You can't attach "vlan 10" to lan1 and lan4 separately. You need to aggregate those into a hard/soft-switch to do that, which would break your design. You have to do the vlan break-up at the outside L2 switch after handing all vlans to it.  

dmcquade
New Contributor III

Remove one of the ports from the hardware switch. You should then be able to create VLAN interfaces assigned to this port. Make sure the switch interface the port is connected to is configured as a trunk. The switch will also need the same VLAN IDs.

 

HTH

d

train_wreck
New Contributor III

Interesting that it doesn't support access ports, and a bit disappointing. Seems like a somewhat odd restriction to have.

dmcquade
New Contributor III

A firewall port not part of the switch can certainly be an access port. Assign it an IP and cable it to a switch port that setup for static access and assign it the VLAN there. You can also setup the interface to receive an address via DHCP but that is a more complex setup as it is for specific circumstances (such as dynamic IP from ISP) and can cause other issues.

 

So you can have port 1 be associated with VLAN 10, port 2 VLAN 20 and port 3 VLAN 30. Not sure why you would then want to have port 4 be a trunk with the same VLANs. The purpose of the firewall is to inspect traffic as it routes (or passes through in transparent mode at layer 2). What are you trying to achieve?

train_wreck
New Contributor III

dmcquade wrote:

A firewall port not part of the switch can certainly be an access port. Assign it an IP and cable it to a switch port that setup for static access and assign it the VLAN there.

Apologies. I am using the Cisco terminology for "access" and "trunk" ports, and this may be the source of confusion. By "access", I mean to say that the port is a member of a particular VLAN, but will only accept UNTAGGED traffic. It will then forward traffic to/from other ports that are members of the same VLAN. "Trunk" ports, by contrast, only send/receive TAGGED VLAN traffic (likely from another VLAN-aware switch, or possibly a server with tagging capabilities on its network adapter). They will, however, forward traffic to/from the UNTAGGED "access" port if that port is a member of the same VLAN as the TAGGED port.

 

My scenario above was to have the following config:

 

port 1 = VLAN 10 (directly connected to Server 1)

port 2 = VLAN 20 (directly connected to Server 2)

port 3 = VLAN 30 (directly connected to Server 3)

port 4 = Trunk of VLANs 10,20,30 (directly connected to larger switch)

 

Port 4 would be connected to a port on a larger switch that would be configured for trunking. The larger switch would have VLANs 10, 20, and 30 configured on it. The ideal result would be for a device in VLAN 10 on the switch to be able to communicate with Server 1 connected to the Fortigate's port 1 (also VLAN 10). But since the Fortigate doesn't support the concept of an "access" port, this is not possible.

 

I have made the above example work by configuring ALL Fortigate ports as trunks, and then having the servers tag traffic with their respective VLANs. This results in each server being able to communicate only with hosts in the same VLAN.

 

Thanks!

dmcquade
New Contributor III

Not sure why you would want to mix the Fortigate as a switch with actual switches. I believe the concept of creating a group of ports as a "switch" is for small implementations without the need for an actual switch or to define a subnet confined to the fortigate itself. You could also look into the line of Fortiswitches.

 

d

train_wreck
New Contributor III

dmcquade wrote:

Not sure why you would want to mix the Fortigate as a switch with actual switches. I believe the concept of creating a group of ports as a "switch" is for small implementations without the need for an actual switch or to define a subnet confined to the fortigate itself.

The same type of "small implementations" that a lower end Fortigate would do well in, would be the same type of organizations in which the ability to cheaply expand the device would be desirable. I agree with what you're saying, the situation is not likely to commonly come up. I ask primarily to see if it is at all possible for learning purposes, and to see if it is in the bounds of the device's capabilities.

 

At least switching is there; my main company switched over to an ASA5506 a couple of years ago, and that device has 8 ethernet ports, none of which were even software switchable (bridging was later addedd via an ASAOS update).

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors