Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Spoil-Equation
New Contributor II

Created on ‎01-17-2023 05:43 PM

VLAN issue on FG-80F with FAP-433F and SW-108-FPOE

Hi All, hoping someone would be able to help.

I Initially configured FG-80F with 4 VLANs: ports 1-4 LAN - 167, port 5 CAM - 10, port 6 IoT - 20.

Then I added FAP-433F but since all ports were taken, I removed port b from fortilink, set to Ethernet Trunk and manually assigned IP to FAP-433F, then configured SSIDs for LAN_167 (bridge), IoT_20 (bridge), and Guest VLAN 30 (tunnel) - no SSID for CAM VLAN. All worked ok.

Thank I received SW-108E-FPOE and decided to move VLANs 20 and 30 onto it. Moving VLAN 20 (CAMs) was easy and all worked with no hiccups, moving VLAN 30 (IoT) presented an issue that I hope knowledgeable minds can help me  with.

 

After moving VLAN from FG to FS, wired IoT devices were ok but wireless IoT devices couldn't get an IP. I've tried moving b port back to fortilink, then configuring VLAN on fortilink for FAP management but FAP never gets and IP. If I create FAP management VLAN on the switch, it does get an IP and all wireless IoT get IPs and start to function, but then my wireless LAN VLAN 167 devices that resides on FG cant get an IP.

I'd prefer to have FAP still, if possible, connected to the b port of FG (to maximize ports utilization) and allow it to serve wireless clients on FG and SW VLANS

 

I dont know what config info would be helpful, so, please ask if some missing.

Interface:

config system interface
    edit "wan1"
        set vdom "root"
        set mode dhcp
        set allowaccess https
        set ident-accept enable
        set type physical
        set monitor-bandwidth enable
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
            set dhcp6-prefix-delegation enable
            set ip6-dns-server-override disable
            config dhcp6-iapd-list
                edit 5
                    set prefix-hint ::/60
                next
            end
        end
        set dns-server-override disable
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set type physical
        set role wan
        set snmp-index 2
    next
    edit "internal1" - through 6
        set vdom "root"
        set type physical
        set snmp-index 3
    next
    edit "a"
        set vdom "root"
        set type physical
        set snmp-index 9
    next
    edit "b"
        set vdom "root"
        set type physical
        set trunk enable
        set alias "FAP-433 Trunk"
        set snmp-index 10
    next

    edit "internal"
        set vdom "root"
        set ip 192.168.167.1 255.255.255.0
        set allowaccess ping https ssh fabric
        set type hard-switch
        set alias "internal LAN"
        set device-identification enable
        set lldp-reception enable
        set lldp-transmission enable
        set role lan
        set snmp-index 15
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-delegated-prefix-iaid 5
            set ip6-subnet ::1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set delegated-prefix-iaid 5
                    set subnet ::/64
                    set rdnss 2601:586:c400:5240::1 
                next
            end
        end
    next
    edit "fortilink"
        set vdom "root"
        set fortilink enable
        set ip 10.255.1.1 255.255.255.0
        set allowaccess ping fabric
        set type aggregate
        set member "a"
        set lldp-reception enable
        set lldp-transmission enable
        set snmp-index 16
        set fortilink-split-interface disable
        set switch-controller-nac "fortilink"
        set switch-controller-dynamic "fortilink"
        set swc-first-create 255
    next
    edit "wifi LAN"
        set vdom "root"
        set type vap-switch
        set role lan
        set snmp-index 19
    next
    edit "wifi IoT"
        set vdom "root"
        set type vap-switch
        set role lan
        set snmp-index 22
    next
    edit "wifi Guest"
        set vdom "root"
        set ip 10.30.1.1 255.255.255.0
        set allowaccess ping fabric
        set type vap-switch
        set device-identification enable
        set role lan
        set snmp-index 20
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-delegated-prefix-iaid 5
            set ip6-subnet ::3:0:0:0:1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set delegated-prefix-iaid 5
                    set subnet 0:0:0:3::/64
                    set rdnss 2606:4700:4700::1113 2606:4700:4700::1003 
                next
            end
        end
    next

    edit "internal CAM"
        set vdom "root"
        set ip 10.10.1.1 255.255.255.0
        set allowaccess ping fabric
        set device-identification enable
        set role lan
        set snmp-index 17
        set switch-controller-igmp-snooping enable
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-delegated-prefix-iaid 5
            set ip6-subnet ::1:0:0:0:1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set delegated-prefix-iaid 5
                    set subnet 0:0:0:1::/64
                    set rdnss 2606:4700:4700::1113 2606:4700:4700::1003 
                next
            end
        end
        set interface "fortilink"
        set vlanid 10
    next
    edit "internal IoT"
        set vdom "root"
        set ip 10.20.1.1 255.255.255.0
        set allowaccess ping fabric
        set device-identification enable
        set role lan
        set snmp-index 18
        set switch-controller-igmp-snooping enable
        config ipv6
            set ip6-mode delegated
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-delegated-prefix-iaid 5
            set ip6-subnet ::2:0:0:0:1/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set delegated-prefix-iaid 5
                    set subnet 0:0:0:2::/64
                    set rdnss 2601:586:c400:5242::1 
                next
            end
        end
        set interface "fortilink"
        set vlanid 20
    next
end

 

config system physical-switch
    edit "sw0"
        set age-val 0
    next
end
config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        set vlan 167
        config port
            edit "internal1"
            next
            edit "internal2"
            next
            edit "internal3"
            next
            edit "internal4"
            next
            edit "internal5"
            next
            edit "internal6"
            next
        end
    next
end

 

config wireless-controller vap
    edit "wifi LAN"
        set ssid "M-6"
        set passphrase ENC XXX
        set local-bridging enable
        set schedule "always"
        set vlanid 167
        set alias "b"
        set multicast-enhance enable
        set igmp-snooping enable
    next
    edit "wifi IoT"
        set ssid "IoT"
        set passphrase ENC XXX
        set local-bridging enable
        set schedule "always"
        set vlanid 20
        set alias "b"
    next
    edit "wifi Guest"
        set ssid "G-6"
        set passphrase ENC XXX
        set intra-vap-privacy enable
        set schedule "always"
        set quarantine disable
    next
end

 

config system dhcp server
    edit 1
        set lease-time 86400
        set dns-service local
        set wifi-ac-service local
        set ntp-service local
        set default-gateway 192.168.167.1
        set netmask 255.255.255.0
        set interface "internal"
        config ip-range
            edit 1
                set start-ip 192.168.167.10
                set end-ip 192.168.167.200
            next
        end
    next
    edit 2
        set dns-service local
        set ntp-service local
        set default-gateway 10.255.1.1
        set netmask 255.255.255.0
        set interface "fortilink"
        config ip-range
            edit 1
                set start-ip 10.255.1.2
                set end-ip 10.255.1.254
            next
        end
        set vci-match enable
        set vci-string "FortiSwitch" "FortiExtender"
    next
    edit 8
        set lease-time 86400
        set wifi-ac-service local
        set ntp-service local
        set default-gateway 10.30.1.1
        set netmask 255.255.255.0
        set interface "wifi Guest"
        config ip-range
            edit 1
                set start-ip 10.30.1.2
                set end-ip 10.30.1.200
            next
        end
        set dns-server1 1.1.1.3
        set dns-server2 1.0.0.3
    next
    edit 6
        set dns-service default
        set default-gateway 10.255.11.1
        set netmask 255.255.255.0
        set interface "quarantine"
        config ip-range
            edit 1
                set start-ip 10.255.11.2
                set end-ip 10.255.11.254
            next
        end
        set timezone-option default
    next
    edit 7
        set dns-service default
        set default-gateway 10.255.12.1
        set netmask 255.255.255.0
        set interface "rspan"
        config ip-range
            edit 1
                set start-ip 10.255.12.2
                set end-ip 10.255.12.254
            next
        end
        set timezone-option default
    next
    edit 9
        set lease-time 300
        set dns-service default
        set default-gateway 10.255.13.1
        set netmask 255.255.255.0
        set interface "nac_segment"
        config ip-range
            edit 1
                set start-ip 10.255.13.2
                set end-ip 10.255.13.254
            next
        end
        set timezone-option default
    next
    edit 10
        set mac-acl-default-action block
        set dns-service local
        set wifi-ac-service local
        set ntp-service local
        set default-gateway 10.10.1.1
        set netmask 255.255.255.0
        set interface "internal CAM"
        config ip-range
            edit 1
                set start-ip 10.10.1.30
                set end-ip 10.10.1.40
            next
        end
    next
    edit 11
        set dns-service local
        set wifi-ac-service local
        set ntp-service local
        set default-gateway 10.20.1.1
        set netmask 255.255.255.0
        set interface "internal IoT"
        config ip-range
            edit 1
                set start-ip 10.20.1.2
                set end-ip 10.20.1.200
            next
        end
    next
end
config system dhcp6 server
    edit 1
        set interface "fortilink"
    next
    edit 2
        set interface "internal"
        set dns-server1 xxx
    next
    edit 5
        set interface "wifi Guest"
        set dns-server1 2606:4700:4700::1113
        set dns-server2 2606:4700:4700::1003
    next
    edit 6
        set subnet 0:0:0:1::/64
        set interface "internal CAM"
        set upstream-interface "wan1"
        set delegated-prefix-iaid 5
        set ip-mode delegated
        set dns-server1 2606:4700:4700::1113
        set dns-server2 2606:4700:4700::1003
    next
    edit 4
        set interface "internal IoT"
        set dns-server1 2601:586:c400:5242::1
    next
end
config system zone
    edit "Internal LAN Zone"
        set intrazone allow
        set interface "internal"
    next
    edit "Outside Zone"
        set interface "wan1"
    next
    edit "Internal IoT Zone"
        set interface "internal IoT"
    next
    edit "Internal CAM Zone"
        set interface "internal CAM"
    next
    edit "Internal Guest Zone"
        set interface "wifi Guest"
    next
end

 

config switch-controller managed-switch
    edit "S108EFTQ22002755"
        set name "FS-108E-FPOE"
        set fsw-wan1-peer "fortilink"
        set fsw-wan1-admin enable
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 8
        set dynamic-capability 0x00000000000000000009267594c2b9d7
        config ports
            edit "port1"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal CAM"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:1f
            next
            edit "port2"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal CAM"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:20
            next
            edit "port3"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal CAM"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:21
            next
            edit "port4"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal CAM"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:22
            next
            edit "port5"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal CAM"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:23
            next
            edit "port6"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal IoT"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:24
            next
            edit "port7"
                set speed-mask 207
                set poe-capable 1
                set vlan "internal IoT"
                set allowed-vlans "quarantine"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:25
            next
            edit "port8"
                set speed-mask 207
                set poe-capable 1
                set vlan "_default"
                set allowed-vlans "quarantine"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:26
            next
            edit "port9"
                set speed 1000full
                set speed-mask 216
                set vlan "_default"
                set allowed-vlans "quarantine"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:27
            next
            edit "port10"
                set speed 1000full
                set speed-mask 216
                set vlan "_default"
                set allowed-vlans "quarantine"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr ac:71:2e:65:a2:28
            next
        end
    next
end
Labels:
1341
0 Kudos
4 REPLIES 4
manasac
Staff
Staff

Created on ‎01-18-2023 12:47 AM

Hi @Spoil-Equation 

The Fortilink interface type is aggregated, both the ports on the aggregated interface should be connected to Fortiswitch. Connecting FAP to one of the ports is not supported. 

Hardware switch interface type will support connecting different device to the ports under same interface.

 

 

Manasa C
1335
0 Kudos
Spoil-Equation
New Contributor II
In response to manasac

Created on ‎01-18-2023 05:07 AM

"Connecting FAP to one of the ports is not supported" - even if I remove that port from fortilink interface? 

 

"Hardware switch interface type will support connecting different device to the ports under same interface" - can you please elaborate?

 

Can you please list an overview of the supported way my devices should be connected to each other in order for FAP to serve VLAN on the FG and FS?

1328
0 Kudos
manasac
Staff
Staff
In response to Spoil-Equation

Created on ‎01-18-2023 06:32 AM

Hi @Spoil-Equation 

 

To answer your question,  I need to know the network diagram. 

You have mentioned about the wired device, I need to know how are they connected ? are they connected directly to FGT or any of the 3rd party switches  and then to FGT?

It will be easier if you can create a support ticket, we will verify your network diagram, current FGT config and the requirements to assist you on the new requirement.

Manasa C
1324
Spoil-Equation
New Contributor II
In response to manasac

Created on ‎01-18-2023 07:04 AM

I do have a ticket open since the 12th, still waiting, so I figured I try the forum :) .... sigh 

1321
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.