I am trying to create software switch and bind the SSID to tunnel wireless traffic. As I read, it is required to have software switch to perform internally pass traffic between VLANs. However; I have uplink ports added to 803.ad as aggregate links to the switches where access points are plugged in. When I create an interface as software switch, I cannot add the ports that was already added to Fortlink as management therefore I cannot add the ports which already added to Fortilink to the software switch as member interfaces also to pass traffic to the SSID, do you know it is possible in any way to accomplish this add ports already in 803.ad aggregated link?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I did figure out vlan pooling without a software switch. It happened to to be I was configuring IP Addresses in vlans instead of sub interfaces created addresses within the SSID that had tunneled and vlan pool enabled. After configuring the interfaces within SSID and adding those interfaces to the firewall client successfully able to get IP Addresses from different subnets.
Software switches are typically used for internal VLAN traffic and may not directly support ports already aggregated in 802.3ad for FortiLink management. Software switches are typically used for internal VLAN traffic and may not directly support ports already aggregated in 802.3ad for FortiLink management. One possible workaround is to create a separate VLAN interface for the wireless SSID traffic and configure policies to allow traffic between this VLAN and other VLANs. You can then manage the traffic flow between the VLANs using firewall policies to achieve the desired segmentation and routing.
https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/277799/software-switch
For example, I did set SSID & Radios within Fortiap/Operational profile settings to Tunnel mode. I created Firewall policy LAN To LAN with the wireless management vlan 1, wireless user vlans 201 and 202. I enabled vlan pooling round robbin within SSD profile. I set the downstream switch port which is plugged in to POE switch native vlan to vlan 1. This should tunnel all the user traffic to the controller and based on the software switch. However; like you said 802.3ad ports cannot be added to software switch. So, are you suggesting just create firewall policy for example VLAN1 to route traffic to vlan 201 and 202 and by enabling tunneling within SSID and Fortiap/Operational Profile, does it route to the traffic without the need of the software switch?
Also, does capwap-offload needs to be turned on for the tunneling to work as well?
set capwap-offload enable
I did figure out vlan pooling without a software switch. It happened to to be I was configuring IP Addresses in vlans instead of sub interfaces created addresses within the SSID that had tunneled and vlan pool enabled. After configuring the interfaces within SSID and adding those interfaces to the firewall client successfully able to get IP Addresses from different subnets.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.