Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

How To Configure "Hardware Switch" As Vlan with "Access Port"

The fortigate switch has multiple ports in the "hardware switch".

I assume that it is a switch virtual interface.

I read that it is a trunk port by default.

How do I change these settings so that it is an access port for the 2 interfaces instead? 

13 REPLIES 13
ede_pfau
SuperUser
SuperUser

Hardware switch ports are no different from ordinary physical ports in that respect. That is, if you use the port "as is", it's untagged and not part of a VLAN. If you create a VLAN with the switch as the base port, it will tag the traffic with the specified VLAN ID.

 

Screenshot 2023-04-26 124641.jpg

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
BusinessUser

"As it is" does it mean using a default vlan of 1?

Is using a vlan of 1 same as "as it is"?

 

I am encountering a situation in which there is a loop because i have 2 interfaces on "internal".

What can i do to resolve this?

Do you have layer 2 portchannels in fortigate? 

PaulRoberts

More or less.  It's something that really commonly throws people, but VLAN 1 is not actually tagged.  Once you're doing VLANs typically the most sensible thing to do is start making all the ports on your switch bind to a specific VLAN and only allow 1 to be present on the ports connecting switches to other switches or any devices where LLDP and STP should still do their jobs to minimize mayhem and confusion.  Basically, VLAN 1 should become a "human free zone" and everything that isn't switching equipment should be talking inside different VLANs.

If you're trunking (where multiple VLANs share the same segment because they're all encapsulated) your ports and including VLAN 1 in the list, that's probably where things are going wrong because traffic is being allowed to freely go from other VLANs to VLAN1, which then goes pretty much everywhere.

gfleming

It's best to think of the HW Switch on a FortiGate as a simple bridge. It's not a fully-featured switch. Do not treat it the same way as you would a standalone switch. HW Switch just means all the ports are bridged together. You can also add VLAN tags to the bridge so any downstream devices sending tagged traffic will get handled appropriately by the bridged ports.

 

Layer2 PortChannels are also not really a thing. You can create a new LACP interface with multiple ports but this removes the ports and the LACP from the HW switch. You could re-join all of these ports together by using a software switch but this is terrible for performance.

 

So again, it's best not to treat the ports on a FortiGate as a standalone switch. Yes, you can bridge them together but switching is best left to dedicated downstream network switches.

 

So, back to your loop. Can you provide us a brief summary of your topology? Do you have two switches connected to your FGT? And those switches are interconnected as well? If so you'll need to enable STP to ensure one of the links is blocked.

Cheers,
Graham
BusinessUser

Can you explain why layer 2 portchannels are not a thing?

 

"You could re-join all of these ports together by using a software switch but this is terrible for performance."

 

Why is it terrible for performance? As long as it solves the problem.

 

gfleming

A software switch processes all of its traffic on the FortiGate CPU. A hardware switch processes all of the traffic on the switch fabric bypassing the CPU. You will most likely kill the CPU if you are running a bunch of traffic over the switchports in a software switch.

 

Layer2 PortChannels aren't a thing because by default when you create a new interface on a FortiGate it is typically a L3 interface. The FortiGate is a router, not a switch. You can create a PortChannel with no address info but you can't join it to a hardware switch. You an create a software switch, however, and join it all together that way.

 

Another alternative, depending on your hardware, you can consider is using a VLAN Switch. This might help with what you want to do:

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/183531/virtual-vlan-switch

Cheers,
Graham
BusinessUser

What should I do if I dont want to bridge them together?

gfleming

If you don't want to bridge them together then you just route between the interfaces. You need to define FW policies to allow traffic to flow between interfaces.

Cheers,
Graham
Toshi_Esumi
SuperUser
SuperUser

Unlike Cisco switches, if you create a new interface on an FGT as VLAN and set vlanid 1 like below, it's a tagged interface. Only the parent interface, in your case "internal", is untagged. The hard-switch doesn't support "native VLAN" either. The FortiSwitch(FSW) or VLAN switch with most of "F"-series FGTs support the native VLAN.

 

config system interface

  edit "VLAN1"

    set vdom root

    --<snip>--

    set type vlan

    set interface "internal"

    set vlanid 1

  next

end

 

Toshi

   

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors