Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Switchport access in FortiGate

Hi guys,

 

My customer wants to replace his Cisco router by a FortiGate. It has many ports as trunks allowing some VLANs, and I know I can easily accomplish this in the FortiGate. But it has also one port as switchport in access mode associated to one VLAN, like this:

 

interface GigabitEthernet0/1/0  switchport access vlan 88  no ip address

 

interface Vlan88

 ip address 10.8.8.1 255.255.255.0

 

The FortiGate will be operating in NAT mode. How can I create a FortiGate port in access mode associated to one VLAN as above?

 

Regards,

Julián

10 REPLIES 10
emnoc
Esteemed Contributor III

config sys interface

 

   edit port1

      set ip 10.8.8.1 255.255.255.0

      set vdom root

      set allowaccess ping

    end

 

That's a standard interface using a non-tag interface.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fjulianom
New Contributor III

Hi Ken,

 

But that port is associated to none VLAN, and also an access port has no IP address.

 

Regards,

Julián

 

fjulianom
New Contributor III

Hi guys,

 

Any idea? Is that possible?

 

Regards,

Julián

emnoc
Esteemed Contributor III

Your confusing a SWITCHPORT and a SVI, they are not the same and a Fortigate is not a SWITCH per-se. You want to  build a switch ( reason unknown ) than you can build a switch and  set a lan  interface.

 

 

google fortigate   and internal-switch  on a an example of a switch. if you need a interface as alayer3 interface and attach to a Ethernet-Lan the above configure will  demo that.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fjulianom
New Contributor III

Hi Ken,

 

I am not confusing switchport and SVI and I know they are not the same (many years working on this and also CCNP like you, though beginner in FortiGate). The customer's Cisco router is not a switch itself either, but you can convert a layer 3 interface into a switchport (layer 2 interface). My customer wants to replace his router by the FortiGate and then replicate its configuration, and that's the reason I am asking if this part of configuration is possible in FortiGate:

 

interface GigabitEthernet0/1/0  switchport access vlan 88  no ip address

 

Regards,

Julián

 

emnoc
Esteemed Contributor III

If your port is switchport , that means your a SWITCH. It means you  are learning mac address as a SWITCH , it means you are participating as a SWITCH ( BDPUs , spanning tree etc.....)

 

DO you want the fortigate to be a SWITCH? and carry all of the above?

 

If yes, than google fortigate and internal-switch  as suggested before , and select the port(s) you want to be for a switch and follow the KB.

 

A switch-internal will still need a layer3 addressed interface for that switch if you plan on routing thru it or attaching  route-nat mode fwpolicies

 

The customer's Cisco router is not a switch itself either, but you can convert a layer 3 interface into a switchport (layer 2 interface).

 

 

I never heard of a cisco-router that can be a switch, but I have heard of L2/3 switches that are routers. So what is the customer device a switch or a router? "show inv hardware or version"

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fjulianom
New Contributor III

Hi Ken,

 

Today I was in customer side and have seen the device, it is a 2901 Cisco router, but the point is it has a EHWIC switch module, where the switchport was configured.

 

I will deal with VLAN88 by configuring an interface VLAN88 with an IP address and associated to the trunk interface as well.

 

Many thanks for your support,

Julián

nbanba
New Contributor II

Hi all

 

I maybe found the way to do this in a KB on VXLAN over IPSEC :  https://kb.fortinet.com/kb/documentLink.do?externalID=FD40170

I cas looking for the way to untagg a vlan in the fortigate before extending it to another site with a VXLAN over IPSEC tunnel in which only untagged frames were supported.

Here is the solution, it consist in creating a vlan interface attached to a physical interface or a lag interface (my case) and to let the vlan interface in layer2 (no route, no IP configured, etc... ONLY the vlan tag ). I sucessfully test it on a VXLAN configuration where I can add my VLAN interface to the virtual switch ONLY when I remove IP of the vlan and route from the route table . 

The necessary condition for a interface to be a member of the virtual switch in Fortigate with a VXLAN IPSEC interface in is that the VLAN arrived UNTAGGED in the virtual switch

The equivalent on cisco router/switch will be :

int GiX/Y/Z

switchport mode access

switchport access vlan XXX

no ip address 

!

 The 'no ip address' is to let the cisco router switchport module interface in layer 2 

 

Here is the interface configuration : 

FTG100F-1 # show system interface LAN-USER-VOIX

config system interface
edit "LAN-USER-VOIX"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 45
set interface "AGG-LAN"
set vlanid 100
next
end

 

FTG100F-1 # show system interface AGG-LAN

config system interface
edit "AGG-LAN"
set vdom "root"
set allowaccess ping
set type aggregate
set member "port5" "port6"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 12
next
end

 

Fortigate knowledge base said for my case : 

This alternative configuration does not conflict with the fact that FortiOS only supports the forwarding of untagged frames. The 802.1Q tag has already been stripped off when a frame reaches the vlan1234 (sub-)interface. 802.1Q tagged frames are received on the physical interface (here, port2), not on the vlan1234 (sub-)interface.  

(extract from the Fortinet KB) :

//

// Alternative scenario: The LAN side could be a Vlan (sub-)interface.
//
 
config system interface
    edit "vlan1234"
        set interface "port2"
        set vlanid 1234
    next
end
 
config system switch-interface
    edit "soft_switch"
        set member "vlan1234" "VxLan-IPsec"
        set intra-switch-policy explicit
    next
end
 
config firewall policy
    edit 1
        set srcintf "vlan1234"
        set dstintf "VxLan-IPsec"
        …
    next
    edit 2
        set srcintf "VxLan-IPsec"
        set dstintf "vlan1234"
        …
    next
end
 
This alternative configuration does not conflict with the fact that FortiOS

only supports the forwarding of untagged frames.

The 802.1Q tag has already been stripped off when a frame reaches the vlan1234 (sub-)interface.

802.1Q tagged frames are received on the physical interface (here, port2), not on the vlan1234 (sub-)interface.

Now in my config I can have this scheme 

 

TAGGED VLAN XXX----->FGT1<-----VXLANoverIPSEC--->FGT2 <----UNTAGGED VLAN XXX

 

Kind regards

nbanba

Brons2
New Contributor II

Yeah, I have this exact same problem.  How to get the on-box 40F LAN ports and the ports on a 108E on the same VLAN, or no VLAN would be fine too.

 

We're replacing Cisco ISR1941 routers that have expansion cards in them.  We have 500+ remote sites,  with a lot of them being smaller.  On any site from 1 to 8 computers, they just have the 1941 and not any switch, the max port expansion is 8 ports and we have many like that.  Unlike FortiGate, Cisco does not tell me that I can't use any ports on the device as an access port and otherwise do whatever I want with them, but Fortigate wants every on-box port to act like a trunk if you have intention of adding a VLAN.  This seems like an unfortunate limitation in flexibility.  I mean all you have to do on Cisco is tell it you want to set any physical port as switchport access, but I suppose that's neither here nor there...

 

We bought 40F-3G4G to replace roughly half the 1941s.  The 40Fs only have 3 LAN ports on them, so it's more limiting than the 1941s that we came from, but oh well.  We bought about 50 108E 8 port Fortiswitches and 200 124E.  I'd like put both the on-box ports and 108E ports on the same VLAN for offices that have between 4 and 11 computers.  I suppose for sites that have between 4 and 7 computers, I could just put the 108E and not use the on-box ports at all, and for sites with between 1 and 3 ports just use the on-box ports.  But it's a bit awkward between 8 and 11.

 

I kind of regret not buying all 24 port switches, the cost difference between the 108E and 124E is not very high, and the extra money per switch could have probably be justified as being necessary for standardization.

 

Whatever we end up doing, the configuration needs to be repeatable so I don't spend half a day messing around with little FortiGates like I have today.

Labels
Top Kudoed Authors