Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JHamilton
New Contributor

Created on ‎08-25-2014 07:30 PM

VLAN traffic switching

I' ve just converted my home office network from a competitor' s product (it was blue and had a bridge logo on it) to a FortiWifi-60D. In converting from the other network layout to the new FortiWifi, I am having trouble with my VLAN configuration. My layout has the FortiWifi connected via VLAN trunk to a distribution switch with several VLANs. The FortiWifi is configured in with " set internal-switch-mode interface" . I have the FortiWifi configured so that the VLAN trunking is working just fine to the switch, but I want to have some of the VLANs available on local internal interface ports on the FortiWifi. I have the VLAN trunk set up so that VLAN 1 is untagged, and VLANs 250-254 are tagged. The FortiWifi is configured with IP addresses 172.16.x.1, where the x is the VLAN ID. The trunk is connected internal1. I' d like to connect hosts to the other internal ports to those various VLANs, but I can' t seem to figure out how to set up a port for switching based on a VLAN tag from another port. I hope this is possible, because it was quite simple to set up with the competing product I used previously. Thanks!
10090
0 Kudos
11 REPLIES 11
emnoc
Esteemed Contributor III

Created on ‎08-26-2014 12:25 AM

I' d like to connect hosts to the other internal ports to those various VLANs, but I can' t seem to figure out how to set up a port for switching based on a VLAN tag from another port.
You lost me on this part. Are you trying to connect the hosts to internal2 3 4 5 6 on the FWF60D? and in vlans 250-254 ? of the same 172.16.x.1 networks? If yes than I don' t think you can' t do that? those unique ports are not switching ports. If your trying to connect this to the local-distribution switch, just craft the appropiate vlans for the switch port that you want the hosts in. fwiw,a diagram would be nice and clear up what your trying to describe and express. Nice getting away from the cisco device with a bridge logo. I' m betting it' s a ASA5505 and on that model, the ports are L2-switchports but on a Fortigate they are not in that same fashion. The only other models that work this way btw are juniper SRXs. Where you can take like or un-like ports and install them into a layer2 switchport configuration and group. Why fortinet has not went that way, and other a similar feature is strange.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3062
0 Kudos
JHamilton
New Contributor

Created on ‎08-26-2014 12:42 AM

Are you trying to connect the hosts to internal2 3 4 5 6 on the FWF60D? and in vlans 250-254 ? of the same 172.16.x.1 networks? If yes than I don' t think you can' t do that? those unique ports are not switching ports.
Yes, I think this is what I' m trying to say. So far, from everything I' ve found, this doesn' t seem possible on the FWF60D, but I wanted to make sure. Here' s a very rough sketch of what I' m trying to do. 
 _________________________________
 |           FWF60D              |
 --1---2---3---4---5---6---7---8--
   |       |       |           |
  VLAN   PC on     PC on       PC on
  trunk  VLAN250   VLAN251     VLAN1
   |
 __|___________________
 |         Switch     |
 ----------------------
  |        |         |
 PC on    PC on    PC on
 VLAN250  VLAN251  VLAN1
The VLAN trunking is working fine, and I can have PCs connected to the various FWF60D ports connected to the untagged VLAN from the VLAN trunk (VLAN1 in the diagram). Anyway, it sounds like I can' t do this, so I may have to rearrange my switches to accommodate the FortiGate' s shortcomings in this area. A small price to pay for the overall improvement over the 5505.
3062
0 Kudos
Warren_Olson_FTNT
Staff
Staff

Created on ‎08-26-2014 08:31 AM

Would it be possible to just not include say ports 3, 5, and 8(in your drawing) in the switch you created? You can specify which ports you want to be a part of the software switch when creating it via gui(or cli for that matter).
3062
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎08-26-2014 08:44 AM

But can he make 3+ software defined switches? That' s the million dollar question. On a cisco ASA5505 and possible a SRX,this should be doable minus the restrictions of the number of vlan, interfaces and ports.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3062
0 Kudos
JHamilton
New Contributor

Created on ‎08-26-2014 07:11 PM

You can specify which ports you want to be a part of the software switch when creating it via gui(or cli for that matter).
The issue isn' t including the ports in a software switch. The problem is having frames arrive on an 802.1q VLAN trunk with VLAN tags in the header that should get switched to other ports and have the VLAN tags removed, as is appropriate for an access (vs trunk) port on the switch. This seems to be a fundamental design difference between the FortiGate and the ASA with respect to the internal switching capabilities.
3062
0 Kudos
lightmoon1992
New Contributor

Created on ‎08-26-2014 11:42 PM

@JHamilton if i understood your sketch right, all what you need to do it to make three VLANs reaching the FortiGate, right? if so, all what you need to do is to define trunk on the FortiGare, on top of which you create three VLAN interfaces with appropriate VLAN IDs and network IDs. let me know if i miss part of your question Mohammad

Mohammad Al-Zard

 

Mohammad Al-Zard
3062
0 Kudos
JHamilton
New Contributor
In response to lightmoon1992

Created on ‎08-28-2014 09:29 PM

@lightmoon1992 A host on the untagged VLAN would work just fine, but hosts on the other VLANs wouldn' t understand the traffic because of the VLAN tag in the header. Even if they managed to overlook the VLAN tag (not that Ethernet drivers just " overlook" bytes they don' t understand), unless they applied the correct VLAN tag to the outbound traffic, the FortiGate wouldn' t put the frames on the correct VLAN. I might have some machines with NIC drivers that support VLAN tagging, but requiring the host to cooperate in keeping its traffic on the right VLAN would seem to defeat the purpose of segregating the traffic to begin with. In any case, excess packets would be sent to all of the hosts (any broadcast or multicast frames, plus anything for destinations not yet in the MAC address table), adding unnecessary traffic to those links. Plus, it' s not an elegant design.
3062
0 Kudos
MikePruett
Valued Contributor

Created on ‎09-04-2014 02:43 PM

Make the trunk port a member of all vlans....assign the physical ports the machiens plug into part of the appropriate vlan..profit.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
3062
0 Kudos
JHamilton
New Contributor

Created on ‎09-04-2014 08:00 PM

@MikePruett Thanks for the summary of exactly what I want to do. Do you have any suggestions on how to accomplish this feat?
3062
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.