Virtual switch
Virtual switch feature enables you create virtual switches on top of the physical switch(es) with designated interfaces/ports so that a virtual switch can build up its forwarding table through learning and forward traffic accordingly. When traffic is forwarded among interfaces belonging to the same virtual switch, the traffic does not need to go up to the software stack, but is forwarded directly by the switch. When traffic has to be relayed to interfaces not on the virtual switch, the traffic will go through the normal data path and be offloaded to NP4, when possible.
This feature is only available on mid- to high-end FortiGate units, including the 100D, 600C, 1000C, and 1240B.
To enable and configure the virtual switch, enter the following CLI commands:
config system virtual-switch
edit vs1
set physical-switch sw0
config port
edit 1
set port port1
set speed xx
set duplex xx
set status [up|down]
edit 2
set port port2
set ...
end
end
end
Support for 802.1x fallback and 802.1x dynamic VLANs
There are four modes when enabling 802.1x on a virtual switch interface:
Mode | Description |
---|---|
Default | In this mode, it works as it did previously. |
Fallback | In fallback mode, the virtual switch will be treated as a master. Only one slave can refer to a fallback master. Those ports in the master virtual switch are always authorized. After passing 802.1x authentication, the ports will be stay authorized and moved to its slave virtual switch. |
Dynamic-vlan | In dynamic-vlan mode, the virtual switch will also be treated as a master. However, many slaves can refer to a dynamic-vlan master. Those ports in the master virtual switch are always un-authorized. After passing 802.1x/MAB authentication, the ports will be set to authorized and moved to one of its slave virtual switches. |
Slave | In slave mode, a master must be set through security-8021x-master attribute. A slave virtual switch will use its master virtual switch's security-groups settings for authentication. |
CLI example for fallback mode:
config system virtual-switch
edit "fallsw"
set physical-switch "sw0"
config port
end
edit "trust"
set physical-switch "sw0"
end
config system interface
edit "fallsw"
set vdom "root"
set ip 192.168.20.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse capwap
set type hard-switch
set security-mode 802.1X
set security-8021x-mode fallback(fallback mode master switch)
set security-groups "rds-grp"(the usergroup for 802.1x)
set snmp-index 10
next
edit "trust"
set vdom "root"
set ip 192.168.22.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse
set type hard-switch
set security-mode 802.1X
set security-8021x-mode slave(slave mode switch)
set security-8021x-master "fallsw" (its master switch)
set snmp-index 6
next
end
CLI example for dynamic-vlan mode:
config system virtual-switch
edit "internal"
set physical-switch "sw0"
edit "lan-trust"
set physical-switch "sw0"
next
edit "lan-vlan1000"
set physical-switch "sw0"
next
edit "lan-vlan2000"
set physical-switch "sw0"
config port
edit "internal1" (normally we should not add port in slave switch. This is used if
user wants to manually add one port in slave)
end
end
config system interface
edit "internal"
set vdom "root"
set ip 192.168.11.99 255.255.255.0
set allowaccess ping https ssh http fgfm capwap
set type hard-switch
set security-mode 802.1X
set security-8021x-mode dynamic-vlan<------dynamic-vlan mode master switch
set security-groups "rds-grp"<------the usergroup for 802.1x
set snmp-index 15
next
edit "lan-trust"
set vdom "root"
set ip 192.168.111.99 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse capwap
set type hard-switch
set security-mode 802.1X
set security-8021x-mode slave<-----slave mode switch
set security-8021x-master "internal"<-----its master switch
set snmp-index 7
next
edit "lan-vlan1000"
set vdom "root"
set ip 192.168.110.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse capwap
set type hard-switch
set security-mode 802.1X
set security-8021x-mode slave<-----slave mode switch
set security-8021x-master "internal"<-----its master switch
set security-8021x-dynamic-vlan-id 1000 <-----the matching vlan id for this virtual
switch
set snmp-index 16
next
edit "lan-vlan2000"
set vdom "root"
set ip 192.168.220.1 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec radius-acct proberesponse
capwap
set type hard-switch
set security-mode 802.1X
set security-8021x-mode slave
set security-8021x-master "internal"
set security-8021x-dynamic-vlan-id 2000
set snmp-index 17
end
config user group
edit "rds-grp"
set dynamic-vlan-id 4000(default vlan id if there is no vlan attribute return from server)
set member "190"
end