Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Thonno
New Contributor III

FortiAP Tunnel Mode - FortiSwitch VLAN

Scenario:

I have a network setup consisting of a FortiGate , FortiSwitch and multiple FortiAP . The connections are as follow:

  • FortiGate:

    • Port1 (FortiLink) is connected to Port 24 on the FortiSwitch.
    • I have created VLAN 400 (named "MGMT") on the FortiLink interface, which is used for managing the FortiAPs.
  • FortiSwitch:

    • Ports 21, 22, and 23 are configured in VLAN 400 for connecting the three FortiAPs. These ports are working correctly, and the FortiAPs are connected.
  • SSID Configuration:

    • I have configured three SSIDs on the FortiGate in Tunnel mode.
    • Each SSID is associated with a different VLAN (configured as optional VLAN IDs within the SSID settings).
    • DHCP is enabled on the FortiGate for these VLANs.

Issue:

When clients connect to the Wi-Fi SSIDs broadcasted by the FortiAPs, they are not receiving IP addresses from the DHCP server, even though DHCP is enabled and configured correctly on the FortiGate for the SSID VLANs.

Upon further investigation, I noticed that the VLANs associated with the SSIDs (configured as optional VLAN IDs) do not appear on the FortiSwitch. This leads me to believe that the issue may be with the VLAN configuration on the FortiSwitch, where the VLANs for the SSIDs are not propagated correctly.


Steps Taken:

  1. FortiAPs are connected properly to the FortiSwitch on ports 21, 22, and 23, which are assigned to VLAN 400 (MGMT).
  2. SSID Configuration on the FortiGate is set to Tunnel mode, with the respective VLANs configured as optional VLAN IDs for each SSID.
  3. DHCP Server is active and correctly configured for each SSID VLAN on the FortiGate.
  4. However, the VLANs assigned to the SSIDs do not show up on the FortiSwitch, which may be causing the issue with IP assignment.

Request for Help:

Could someone guide me on how to correctly propagate the SSID VLANs to the FortiSwitch so that clients connected to the Wi-Fi can receive DHCP addresses? Is there any additional configuration needed on the FortiSwitch to ensure these VLANs are properly handled?

 

PS: I need to use SSIDs in tunnel mode to enable client isolation even between devices connected via different APs.

1 Solution
KumarV
Staff
Staff

Hello @Thonno ,

 

No, you do not need to add any extra configuration on Fortiswitches. All you need to make sure is that your FortiAP is getting IP from DHCP and if it is connected then all the DHCP discover traffic from clients will be encapsulated under the CAPWAP. You can see the document below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-Optional-VLAN-ID-in-Tunnel-type-Wir...

 

Regards

 

Verender

View solution in original post

2 REPLIES 2
KumarV
Staff
Staff

Hello @Thonno ,

 

No, you do not need to add any extra configuration on Fortiswitches. All you need to make sure is that your FortiAP is getting IP from DHCP and if it is connected then all the DHCP discover traffic from clients will be encapsulated under the CAPWAP. You can see the document below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-Optional-VLAN-ID-in-Tunnel-type-Wir...

 

Regards

 

Verender

Thonno
New Contributor III

I solved it. The problem was that I had created the SSID with Optional VLAN and addressing all within the WiFi configuration.

I had to create the SSID without addressing and with only optional VLAN, and then create a new VLAN as a sub-interface of the SSID with the VLAN ID identical to the optional VLAN of the SSID and correct addressing.

Thank you very much for the help.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors