Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexTheFortigreat
New Contributor

Created on ‎04-16-2024 09:36 AM

Moving away from Software Switches - need opinions

vlans1.png

We are using a pair of Fortigate 200F's for inter-vlan routing and having some bandwidth issues due to traffic not getting offloaded to NPU. This is due to our use of software switches. I want to make sure I am not missing anything here. We are wanting to move away from software switches

 

Currently we have 3 access switches (sw-access01 - 03) connected to the fortigate. They are each connected with 2 ports in an aggregate. Under each aggregate we have multiple VLANs defined (100,101,102, etc) with no IP. What you see in the picture, sw-acc-acc1.100 (vlan 100) for example, also exists under sw-access02 and 03.

 

We then have software switches created for each vlan with the IP address defined. We then add each VLAN from the aggregates as interface members on the software switch. Then the VLANs are added to "inside-trust". Most of our firewall policies use address objects/groups & inside-trust so the transition to move off of this setup should be simple.

 

The plan is to remove these software switches completely and leave the VLANs under the aggregates as they are now, but add an IP address to one of them such as shown in the image below.

 

 

Image.png

 

Additionally, we will remove the software switches from the inside-trust zone and instead add the VLAN interfaces or possibly aggregates; not sure on this.

 

Am I missing anything here? Been dealing with software switches causing issues for way too long.

Labels:
203
2 REPLIES 2
saleha
Staff
Staff

Created on ‎04-17-2024 05:21 AM

Hi AlexTheFortigreat,

 

Thank you for reaching out. My understanding is you want to remove the software switches while migrating the sub vlan interfaces from these switches to other physical or aggregate ports. You will need to migrate the vlans first to the new locations by creating them. You may run into a problem with vlan and subnet over lapping which can be handled as a temporary work around by enabling subnet overlapping:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-subnet-overlap-to-set-IP-addresses-...

Bare in mind that it is not recommended to keep subnet overlapping as it creates issues with routing and dhcp among possible other issues. The alternative is to delete the sub interfaces and remove all reference for these software switches in all applicable configuration including the interface zones, create the new vlan interfaces under the new aggregate or physical interfaces, delete the software switches and add the new vlan interfaces to the same zone the software switches were occupying before.

There are a lot of moving parts in this plan and I would recommend creating a support ticket if this firewall have active contract to discuss with one of TAC engineers over a remote session in case other details require attention.

Thank you,

saleha

102
devrata
New Contributor

Created on ‎04-17-2024 10:12 AM Edited on ‎04-20-2024 05:12 AM

Would love that job myself. Doing a cs postgrad but coding not for me. Making demos and home labs for sales sounds pretty fun though. Most feedback I'm getting is its not something they give to someone with no tech chops so probably be waiting a few years to get a chance https://100001.onl/ 

83
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.