FortiGate to FortiSwitch PVLAN configuration

AlexPien · ‎10-10-2023

Hi together,

We have some FG2600F and FS1048E and I want to implement PVLAN on my FortiSwitch infrastructure. Unfortunately my first tests failed and I am not sure if I have a problem in the design, or in the configuration.

We want to implement some VLANs, with community and isolated vlans as subvlans. On the FortiGate I have a VLAN interface on the FortiLINK LinkAgg which is for example vlan 100 and has an IP 10.0.1.1/24. In the FortiSwitch configuration I said, that the vlan 101 is the isolation vlan of the vlan 100 and 110,111, ... are my community vlans. All clients of vlan 101, 110 and 111 have the IP addresses of the range of the vlan 100. But in the isolated vlan the VMs have no possibility to talk to each other. And in the community vlans they are able to talk to eachother inside the same community.

The configuration of the PVLAN on the FortiSwitch is straight forward, but I am in struggle with the configuration of the Promiscuous Port, which should be the FortiLink. As well I see some difficulties, when it comes to the vendor break, because we still have some Cisco Switches in the environment.

I appreciate your feedback. I really like the idea of using PVLAN inside the infrastructure to add additional security. Unfortunatelly the topic is quite bad documented.

Best Regards

FortiSwitch

FortiGate

ebilcari · ‎10-11-2023

I'm not aware of a method to mix PVLAN and FortiLink mode. What you can do if it fits your requirements is to use "Block intra-VLAN traffic". It's a feature that can be enabled at VLAN level and will force all the intra VLAN traffic to pass through FGT.

Proxy ARP need to be enabled on the GW (interface in FGT) and a Firewall policy (same interface as source and destination) will control the traffic between the hosts that are part of the same VLAN.

Keep in mind that this may not be feasible for VLANs in DC that have large amount of horizontal traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

AlexPien · ‎10-23-2023

Thanks for your feedback. Unfortunately I can't use this feature, because I have isolated and community vlans in my infrastructure.

I already have seen that PVLAN is not supported in FortiLINK mode. Now I have reset my switches and I have put them in standalone mode. The problem is, that I do not see any documentation about promicious trunk port in the FortiSwitch documentation. I think I need this feature, otherwise I can't implement this setup as expected. Any ideas?

ab1875 · ‎02-18-2024

Hi Alex, did you ever solve this? I am also struggling with getting this to work.

AlexPien · ‎02-19-2024

Hi,

well I found a solution in this case. There are some difficulties:

1. Forti Switch must be in standalone mode, no FortiLink mode

2. PVLAN is only supported with native vlan, 1 vlan per physical interface or LAG, because Fortinet does not support promiscous trunk only promiscous port -> based on this I have configured multiple 4x 2x10G links between FortiSwitch and FortiGate and configured on each LAG a native vlan and on this the private vlan.

Is this answering your question? If necessary I can add some configuration or sketch later. But currently I have only less time.