New feature: FortiGate Hardware Switch Interface Virtual switch feature enables you create virtual switches on top of the physical switch(es) with designated interfaces/ports so that a virtual switch can build up its forwarding table through learning and forward traffic accordingly. A hardware switch is a virtual interface that groups different interfaces together, allowing a FortiGate to treat the group as a single interface. Many FortiGate models have a default hardware switch, called either lan or internal.
Posted by1 year ago
Archived
Ok, so I have a Fortigate 200D POE with 5.4.6 on it.
It currently works with the following config:
I have a 'hardware switch' with 3 VLANs assigned to it, along with network port 9-16.
These are effectively trunk ports, correct?
9 is attached to a physical switch that is set up with those 3 VLANs in it, and access ports are configured past that to allow for different workstations to be on different VLANs.
I then have ports 10-16 attached to 7 different POE Meraki APs so that each AP knows about each of the 3 VLANs, plus has power, and the assign SSIDs for each VLAN.
This all works.. I am not a fan of how it is set up, but that's what I got.
I now am upgrading my network switches, and want to make use of the SFP ports on the FGT and my new switches for a better uplink...
I want to add a couple more VLANs to this HW switch (already assigned individually to other hw ports on the FGT), and also assign the DMZ2 port to this HW switch... I spoke with a FortiGate rep and they said due to a hardware limitation, DMZ ports are not able to be part of that hardware switch... but they can be part of a virtual switch, and I can then add the hw switch to that vswitch... and then assign my VLAN configs to that vswitch....
I am going to try that configuration, but I know using vswitches creates unnecessary CPU overhead so I am trying to come up with a better solution.
It's really strange to me that I can't just make VLAN configs and assign them to multiple interfaces... Once you assign a VLAN to HW switch 1, you cant also assign that same VLAN to SW Switch 1 or HW Port 3 or whatever.. right???
My thoughts are to separate my wireless VLANs from my wired VLANs. VLAN20 wired would be 20, and Wireless would be like VLAN21 and so on. That way, I could assign all the wireless VLANs to a HW Switch using port 10-16 and then my wired VLANs all would go on DMZ2 to my physical switches... does this make sense?
Minus getting POE injectors for my APs (or powering them another way) I don't see any other way to accomplish this.
Anyone have other suggestions?
Thanks!
edit: formatting
22 comments
Posted by1 year ago
Archived
Ok, so I have a Fortigate 200D POE with 5.4.6 on it.
It currently works with the following config:
I have a 'hardware switch' with 3 VLANs assigned to it, along with network port 9-16.
These are effectively trunk ports, correct?
9 is attached to a physical switch that is set up with those 3 VLANs in it, and access ports are configured past that to allow for different workstations to be on different VLANs.
I then have ports 10-16 attached to 7 different POE Meraki APs so that each AP knows about each of the 3 VLANs, plus has power, and the assign SSIDs for each VLAN.
This all works.. I am not a fan of how it is set up, but that's what I got.
I now am upgrading my network switches, and want to make use of the SFP ports on the FGT and my new switches for a better uplink...
I want to add a couple more VLANs to this HW switch (already assigned individually to other hw ports on the FGT), and also assign the DMZ2 port to this HW switch... I spoke with a FortiGate rep and they said due to a hardware limitation, DMZ ports are not able to be part of that hardware switch... but they can be part of a virtual switch, and I can then add the hw switch to that vswitch... and then assign my VLAN configs to that vswitch....
I am going to try that configuration, but I know using vswitches creates unnecessary CPU overhead so I am trying to come up with a better solution.
It's really strange to me that I can't just make VLAN configs and assign them to multiple interfaces... Once you assign a VLAN to HW switch 1, you cant also assign that same VLAN to SW Switch 1 or HW Port 3 or whatever.. right???
My thoughts are to separate my wireless VLANs from my wired VLANs. VLAN20 wired would be 20, and Wireless would be like VLAN21 and so on. That way, I could assign all the wireless VLANs to a HW Switch using port 10-16 and then my wired VLANs all would go on DMZ2 to my physical switches... does this make sense?
Minus getting POE injectors for my APs (or powering them another way) I don't see any other way to accomplish this.
Anyone have other suggestions?
Thanks!
edit: formatting
22 comments