Hello,
first time poster here so have mercy :)
I am new to Fortinet but a long time security / networking administrator. I recently acquired a FortiGate 40F, FortiSwitch 108F and a FortiAP 221 to test it out and learn about Fortinet.
I am running into a stupid problem that I can't understand:
I would like to create VLANs on both FortiSwitch and FortiGate so that FortiGate is the gateway and DHCP-server on these VLAN networks. Furthermore, I would like to use the VLANs on the FortiSwitch so that I can use multiple ports on the switch on these VLANs, say port 1-4 has native VLAN accounting_VLAN and port 5-8 has VLAN printer_vlan, etc.
I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwtich ports?
From what I can see now, if using VLANs on the FortiSwitch, I can't use these VLANs on the FortiGate ports and use the FG ports for connecting devices to the VLANs that I use?
High Level overview of what I am trying to do:
1. Create VLAN accounting_VLAN(VLAN ID=10) and office_VLAN(VLAN ID=20) on FortiGate with IP-address and DHCP enabled etc. so that the Fortigate is the gateway for the VLAN network.
2. Use the accounting_VLAN on FortiGate ports so that devices can be plugged into the FortiGate and assigned to one of these VLANs.(if FG-40F, then less ports to use, if 200F then more ports to use)
3. Connect FortiSwtich to FortiGate using Fortlink.
4. Trunk the accounting_VLAN on the trunk to the FortiSwitch
5. Use the accounting_VLAN ports on the FortiSwitch, for example ports 1-8 on accounting_VLAN and ports 9-13 on office_VLAN.
However, this doesn't seem to be possible from my testing different configurations? I can create VLANs on the FortiSwtich and tag them as native VLANs on different ports, but I can't use those VLANs on the FortiGate for creating a firewall/gateway interface to those VLANs.
What am I missing?
Best regards,
Kim,
OK...well in this case the VLAN is not mapped to any switch ports, except the Fortilink port on which the VLAN is automatically tagged on...so not sure what you mean by that.
Is this a GUI issue? Should I try CLI instead?
Update:
When creating a FSW VLAN the "Create address object matching subnet" was checked by default. So I tested to remove the object that was automatically created and then the VLAN "CLIENT" was available in the Software switch. Quite weird experience and GUI logic to be honest, doesn't make it easy for admins to configure FGT and FSW devices this way :(
Hope this helps for all other people out there trying to do this pretty simple and normal setup on a Fortigate and Fortiswitch. ;)
Thanks for your help and insight here @sachitdas_FTNT !
From FGT's view (or config), Fortilink is one of hard-switches. You can see it in CLI under "config system virtual-switch". When a VLAN is in a hard-switch, the same VLAN can not be a member of other hard-switch or soft-switch.
@khalavak wrote:
I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwitch ports?
perhaps an annoying question, but why?
i personally just say it isn't possible, even though im not 100% sure. once you go FortiSwitch you use the FortiSwitch and don't mix and match VLANs with the FortiGate for access.
Why?
Well, now I have a FortiGate 40F so I don't loose too many ports, but if I get a bigger FortiGate with more ports, those ports can become virtually unusable when using FortiGate + FortiSwitch and that just feels wrong and stupid if i can't be done. :(
yeah ok, i get your reasoning. Fortinet seems to be moving away from the FortiGate models with lots of interface in general is my observation.
and sure you waste some, but in general i don't see it as that much of an issue. i do understand your point, but i would accept just provide enough FortiSwitches for the access ports and build a large enough link aggregate between the FortiGate and the switches.
I think I have the same problem.
One Fortiswitch (fortilink) V-lan should also be on a physical FG interface (aggregated).
Did anyone get this to work, I am having the same issue. I cant seem to map the vlans
Try this:
On FS:
1. create your two VLan IDs with blank IP (0.0.0.0/0.0.0.0)
2. assign the vlans to their respective ports either as native or trunked
On FG:
1. remove the hardware switch ports from any attached interface.
2. create new interface/type/software switch for each vlan.
3. add the members/ports and the associated vlan you want to traverse those ports.
4. configure the IP/Netmask and the DHCP Server options and any other settings you want for that software switch interface/vlan.
One caveat I read that using software switch is not recommended due to possible performance hits.
edit:
I just tried this on one of my set ups and it didn't work properly. Looks like we can only add one fortiswitch created vlan into each software switch. So in doing so, you will need to create two software switch. Only issue with that is, it looks like you may need to connect two patches to the fortiswitch so you can trunk both of the vlans to the switch. So I would just create one software switch for one particular vlan. Then you can connect devices for that vlan onto the fg and fs. Then create a separate vlan on the fs for the second vlan with the proper IP and dhcp settings. Then assign the vlans to the correct ports on the switch.
Sorry rambling...lol
Thank you for your response, seems like we will be separating WAN and FortiLans on our setup.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.