FortiOS 6.0 Online Help Link FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link

Virtual switch

Virtual switch feature enables you create virtual switches on top of the physical switch(es) with designated interfaces/ports so that a virtual switch can build up its forwarding table through learning and forward traffic accordingly. When traffic is forwarded among interfaces belonging to the same virtual switch, the traffic does not need to go up to the software stack, but is forwarded directly by the switch. When traffic has to be relayed to interfaces not on the virtual switch, the traffic will go through the normal data path and be offloaded to NP4, when possible.

This feature is only available on mid- to high-end FortiGate units, including the 100D, 600C, 1000C, and 1240B.

To enable and configure the virtual switch, enter the following CLI commands:

config system virtual-switch

edit vs1

set physical-switch sw0

config port

edit 1

set port port1

set speed xx

set duplex xx

set status [up|down]

edit 2

set port port2

set ...

end

end

end

Support for 802.1x fallback and 802.1x dynamic VLANs

There are four modes when enabling 802.1x on a virtual switch interface:

Mode Description
Default In this mode, it works as it did previously.
Fallback In fallback mode, the virtual switch will be treated as a master. Only one slave can refer to a fallback master. Those ports in the master virtual switch are always authorized. After passing 802.1x authentication, the ports will be stay authorized and moved to its slave virtual switch.
Dynamic-vlan In dynamic-vlan mode, the virtual switch will also be treated as a master. However, many slaves can refer to a dynamic-vlan master. Those ports in the master virtual switch are always un-authorized. After passing 802.1x/MAB authentication, the ports will be set to authorized and moved to one of its slave virtual switches.
Slave In slave mode, a master must be set through security-8021x-master attribute. A slave virtual switch will use its master virtual switch's security-groups settings for authentication.

CLI example for fallback mode:

config system virtual-switch

edit "fallsw"

set physical-switch "sw0"

config port

end

edit "trust"

set physical-switch "sw0"

end

config system interface

edit "fallsw"

set vdom "root"

set ip 192.168.20.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse capwap

set type hard-switch

set security-mode 802.1X

set security-8021x-mode fallback(fallback mode master switch)

set security-groups "rds-grp"(the usergroup for 802.1x)

set snmp-index 10

next

edit "trust"

set vdom "root"

set ip 192.168.22.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse

set type hard-switch

set security-mode 802.1X

set security-8021x-mode slave(slave mode switch)

set security-8021x-master "fallsw" (its master switch)

set snmp-index 6

next

end

 

 

 

CLI example for dynamic-vlan mode:

config system virtual-switch

edit "internal"

set physical-switch "sw0"

edit "lan-trust"

set physical-switch "sw0"

next

edit "lan-vlan1000"

set physical-switch "sw0"

next

edit "lan-vlan2000"

set physical-switch "sw0"

config port

edit "internal1" (normally we should not add port in slave switch. This is used if

user wants to manually add one port in slave)

end

end

config system interface

edit "internal"

set vdom "root"

set ip 192.168.11.99 255.255.255.0

set allowaccess ping https ssh http fgfm capwap

set type hard-switch

set security-mode 802.1X

set security-8021x-mode dynamic-vlan<------dynamic-vlan mode master switch

set security-groups "rds-grp"<------the usergroup for 802.1x

set snmp-index 15

next

edit "lan-trust"

set vdom "root"

set ip 192.168.111.99 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse capwap

set type hard-switch

set security-mode 802.1X

set security-8021x-mode slave<-----slave mode switch

set security-8021x-master "internal"<-----its master switch

set snmp-index 7

next

edit "lan-vlan1000"

set vdom "root"

set ip 192.168.110.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse capwap

set type hard-switch

set security-mode 802.1X

set security-8021x-mode slave<-----slave mode switch

set security-8021x-master "internal"<-----its master switch

set security-8021x-dynamic-vlan-id 1000 <-----the matching vlan id for this virtual

switch

set snmp-index 16

next

edit "lan-vlan2000"

set vdom "root"

set ip 192.168.220.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse

capwap

set type hard-switch

set security-mode 802.1X

set security-8021x-mode slave

set security-8021x-master "internal"

set security-8021x-dynamic-vlan-id 2000

set snmp-index 17

end

config user group

edit "rds-grp"

set dynamic-vlan-id 4000(default vlan id if there is no vlan attribute return from server)

set member "190"

end