Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
journeyman
Contributor

How to bridge or make a switch between a physical port and a vlan interface?

On a FGT60E running FortiOS v6.4, is there a way to create a "switch" with interface members internal2 and vlan_xyz?

 

Once we have the two interfaces bridged we wish to control (typically, block) multicast propagation between the two.

 

In FortiOS 6.4 I can see some likely suspects

config system physical-interface  # does not seem directly useful
config system software-interface  # ideal if we could add a vlan interface
config system virtual-interface

Perhaps software-interface is the best candidate? But in our current configuration none of these will accept a vlan interface as a member, can this be done and if so how? Is there some global setting I have overlooked to allow the behaviour we want? Is there an alternative simple way to achieve the end result?

I hope we can avoid building a transparent vdom.

6 REPLIES 6
AlexC-FTNT
Staff
Staff

How would this work logically?

If you bridge a VLAN (logical) + a physical port... what is the logical outcome?

What I mean is that the "physical port" is on the logical side either in the same VLAN, or a trunk.

If same vlan > VLAN switch may be the choice for you (maybe not in this small unit):https://docs.fortinet.com/document/fortigate/6.2.0/new-features/775595/virtual-switch-support-for-fo...
But if you can hypothetically pair a VLAN port with a trunk port, the VLAN port will only take the traffic tagged in its own VLAN, dropping everything else. And if you don't want this, then the solution is to make separate interfaces and have proper routing in between them.

Now, multicast is by default nor forwarded past the broadcast domain. Broadcast domain is contained by the first router.

If your goal is to block multicast, you don't need a switch construct.

If your goal is to forward multicast, you must use a switch construct (all ports in same VLAN if that's the goal).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
journeyman

Thank you for your reply.

 

The aim is managed switch-like behaviour, for the physical port to become an edge port on the vlan and ideally appear to users as just another port, and we would then have the ability to block multicast by policy assuming we could `set intra-switch-policy explicit` and then apply a multicast policy.

 

The "normal" functionality we want is easy on a managed switch, but there is a specific corner case we are trying to eliminate that we can't block on our switches, where a multicast packet arrives tagged with vlan 0 (which is an error and is correctly interpreted by the switch as a priority tag, but it causes a _whole_ world of trouble).

 

We are trying to use the firewall in some way to block multicast without having another subnet / using routing.

 

I believe that we could potentially assign two ports to a transparent vdom to achieve what we want (basically a bump in the wire), but it costs us an extra physical port and we have not used vdoms before.

sw2090
Honored Contributor

Basically a physical interface with vlans attached to it on a fortigate behaves just like a vlan trunk on a managed switch does.

That means the subnet/vid the physical interface has/is connected to would be the pvid. So all traffic that doesn't match any vid attached to that physical interface will hit the physical interface while traffic that matches one of the attached vids will hit the corresponding vlan interaface.

Multicast traffic will afaik anyways not be routed between different vlans/subnets unless you create some multicast policy for it.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
wangwenpin

Hi,

I've the same question, is it possible to create more than one layer 2 vlan Interfaes (without any IP address assigned to it), and bridge all the vlans with one physical interfaces together works like a switch, then assign an IP address to the physical interface as default gateway and DHCP server.

The similar function provided by PFsense listed below for your reference:

PFsense:

How To PFSense Configure Network Interface As A Bridge / Network Switch - nixCraft (cyberciti.biz)

 

Palo Alto:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

 

Thanks!

wangwenpin

Hi,

I've found the solution that was already mentioned in Fortiswitch and Fortigate admin. guide, that is :

https://docs.fortinet.com/document/fortiswitch/7.4.1/fortilink-guide/546342/configuring-vlans

Configuring multiple managed FortiSwitch VLANs to be used in a software switch

Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch.

Traffic between two VLANs is controlled by the intra-switch-policy setting under the config system switch-interface command. By default, intra-switch-policy is set to implicit, which allows traffic between software switch members.

attahced. is my lab network diagram for your reference.network.png

sw2090
Honored Contributor

we are running 7.0 currently and what you can do with this is: you can create a switch out of physical interfaces and then attach vlans to the switch interface. Then this would mean the member interfaces of the switch are vlan trunks (i.e. tagged in all attached vlans). I do this with up to 20 vlans on one vswitch on my FGTs and it work fine. 

Then there is Uplink from that vswitch members to my core switches where the corresponding port is also configured to be a vlan trunk. Then vlans can be (un)tagged to the other ports on the switches as required.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors