Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Fortigate 200B Switch port Query

Hey Guys. I hope someone can help me on this. I have a Fortigate 200B with 8 port switch and 8 interface ports. Is it possible to take one port out of the switch portion and turn it into a routed interface. (give it an IP etc) Any help would be greatly appreciated Thank You Liam
13 REPLIES 13
Carl_Wallmark
Valued Contributor

Hi and welcome, Yes its possible, but there are some things you need to think about: You can split the 8 port switch into single interfaces, with this setup there is nothing to think about. But if you want to just take 1 port out, you first need to split the switch to interfaces, and then create a software switch with the 7 interfaces remaining, and this is the thing, its a software switch, and it uses the CPU and not the hardware.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Not applicable

Hey ' Selective' Thank you for your reply. At the moment there is one connection to the LAN from the switch. It has policies attached to it and an IP address. I am going to have to arrange downtime to reconfigure this I feel as the split would affect all ports. Would I be correct in saying this. No way to split a portion of the switch for example Again Many thanks for your reply
rwpatterson
Valued Contributor III

Liam, please explain to us all what your current setup is and what your goal is. There may be a way to do it that is far less intrusive.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Hey All the routed ports are used. Need more. There' s one switchport being used. It has an IP address assigned and policies etc. This should be in a routed port ideally. Thanks for your help
rwpatterson
Valued Contributor III

Would there be a way to use VLANs along one of the switched ports and plug that into an aware switch? The FGT would still be doing it' s functions, but the switch would hold the devices (as it may be doing now), but with one physical interface connecting the two instead of multiple interfaces.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
FortiRack_Eric
New Contributor III

If you change the switch port of a 200B to interface mode then you have port1 - 8 what you can do is to create a softswitch and add port 2 - 8 . this is done via the cli in MR2 or before and also via the gui in MR3. config system switch-interface edit " sswitch" set member port2 port3 port4 port5 port6 port7 port8 next end Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
ede_pfau
Esteemed Contributor III

That' s the way to go. Maybe someone should tell you that you can only change the switch setting after all references to the switch member ports have been removed - policies, server, other objects. I would recommend you do the change offline: download the config, edit it to enable the switch
 config system switch-interface
 edit " switch" 
    set member port2 port3 port4 port5 port6 port7 port8
 next
 end
and restore the config, causing a reboot. I know that this sounds a bit drastic :) but it might save you a lot of detective work and reconfiguring. Note that Eric meant " switch" when writing " sswitch" - if you name the interface differently then you' d have to edit all policies involved etc.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
FortiRack_Eric
New Contributor III

I did write sswitch on purpose to avoid mixup with the physical port name.

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
ede_pfau
Esteemed Contributor III

But then all policies would fail that use the ' switch' interface. ' switch' as factory default is just a name and a software switch, it' s not a physical port at all. In one of the last posts Selective had doubts whether the performance would suffer from using the seven-port-software switch. It does not, for the same reason: the factory default is a software switch. The CPU deals with it so no NPU acceleration. One more good reason to break it up.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors