FortiSwitch VLAN & Trunking limitations - Why can't they work like Cisco's :)

Devious_Duck · ‎03-09-2018

All,

Greetings! I have been beating my head against a wall for a week to attempt to do something that I can do on a Cisco(shhhh) in ten minutes. But I am trying to save the company $$$$ and make life as unbearable on myself as I possibly can. HEY!!!!! I'm at least half way there.

So..... I'll cut to the chase. Seems as if you want full vlan routing functionality with FortiSwitches they need to be controlled by Fortigate Firewall.... 1. Is this a correct assumption on my part?

Here is what I am trying to do.

Medium size corporate & manufacturing campus

2 vlans

1 default

10 wireless

Mix of Cisco, HP, Netgear, & FortiSwitches 224B & 224D os 1.0.1 (forti were originally just used for wifi).

I want to install a fortiswitch in the same capacity as I would my Cisco. Namely, trunk port 24 and allow vlan10 ONLY on ports 1-4 and vlan1 on remaining ports.

So I have tried tagging & untagging ports, but to no success. The wireless is on a seperate subnet and wifi ap's ARE controlled by the Fortigate FW.

However, VLAN10 traffic is not making it to Ports 1-4 to allow the AP to communicate back to FW.

So it seems I am missing the trunking portion or whatever terminology Fortinet uses.... OR.... this is a function that needs a Fortigate that controls the switches to accomplish.

Hopefully I expressed that somewhat clearly. :(

Thanks in advance for any advice.

A little more back story on how the wifi was originally set up.

The Fortiswitches were configured on the 104 subnet as are the AP's

A port was tagged on the main network switch for each location, that was connected to the tagged port on the Fortiswitch which then had the AP's plugged in.

So you had 2 24 port switches in a cabinet. Fortiswitch only had 1 port used as uplink and as little as 1 port to an AP. This was done because of the POE capability I assume.

So I am trying to more efficiently use these switches, but I am just not able to get the functionality that I need out of them at this time.

[&o]

ede_pfau · ‎03-09-2018

hi,

and welcome to the forums.

I don't quite understand your problem. You state that the APs are controlled by a Fortigate. Wireless and Switch controller are both included in FortiOS, down to the smallest model. So, why don't you just configure the FSWs from your FGT?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Devious_Duck · ‎03-09-2018

Thanks for the reply Ede.

Again, all of this may be based on my ignorance of how Fortinet devices work together. Our Firewall has no option that I can find for switch control. It has wifi control.

Firewall is Fortinet 300D - Firmware is 5.2.2, build 642 (GA) - HA status is standalone, Operation mode is NAT

Switch is Fortiswitch 224B running os 1.0.1

I read a post that said under Switch & Wifi Controller ---- but I do not have that option.

ede_pfau · ‎03-09-2018

Check under System > Config > Features, enable "WiFi & Switch Controller".

That was the easy part.

FortiOS v5.2 does support managing FortiSwitches from the FGT GUI. But...only D series models are supported. Frankly, the B series is a bit outdated. The current switch series is the E series.

On another note: please do yourself a favor and upgrade to latest v5.2 soon - v5.2.13. There are some severe security holes fixed along that way. Or check out v5.4 (read first: 'What's new in FortiOS v5.4').

All of that on support.fortinet.com and docs.fortinet.com.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Devious_Duck · ‎03-09-2018

Awesome Thanks Ede. Pretty much answered my question!

With what you said in your last post. I am going to assume that what I was initially trying to do would not work either?

I can elaborate on that part if you need clarification.

ericli_FTNT · ‎03-09-2018

Hi OP,

It seems that you did not configure the FortiSwitch from the Fortigate. From us, we always recommend customers to configure foritswitches through Fortigate, for better stability and more security consideration.

Just simply configure a port on the Fortigate as a "dedicated to fortilink" and enable central management on the FSW. Please refer to: https://docs.fortinet.com...manageFSWfromFGT54.pdf

ede_pfau · ‎03-09-2018

OK, I've re-read your original post, and it doesn't look so moot...

You should be able to hook up your FS-224D to your FGT. That is,

- upgrade the FS firmware until it meets the requirements for the FortiOS in use on the FGT (release notes)

- connect one port of the FGT to the FS, dedicated to FortiSwitch like ericli_FTNT posted (basically, enable CAPWAP protocol on that port)

- now you should be able to configure VLANs on the FS from the FGT

Putting ports into VLANs is a no-brainer (as you expected), trunks as well. Whereas VLAN routing is done on the FGT, the FS are L2 only as far as I know. Take heed that the 'control' link from FGT to FS will not carry data! If you want to route traffic that crosses the FS you need to create a second ('data') link from FS to FGT.

Then, VLAN routing is like any other traffic: directed by routes and allowed by policy, so you need both. (an aside: this is when one might discover the beauty of a switch controller - the FS switch ports are 'extension' ports of the FGT. Routing, security, sniffing, management, all of that.)

HTH. I'm off for a couple of hours now (CET).

Ede

"Kernel panic: Aiee, killing interrupt handler!"