Fortinet black logo

Cookbook

Software switch

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:277799
Download PDF

Software switch

A software switch, or soft switch, is a virtual switch that is implemented at the software or firmware level and not at the hardware level. A software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For example, using a software switch, you can place the FortiGate interface connected to an internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration on the FortiGate unit, such as additional security policies.

A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example, if your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in FortiWiFi and FortiAP units.

Similar to a hardware switch, a software switch functions like a single interface. A soft switch has one IP address and all the interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.

When setting up a software switch, consider the following:

  • Ensure you have a back up of the configuration.
  • Ensure you have at least one port or connection such as the console port to connect to the FortiGate unit. If you accidentally combine too many ports, you need a way to undo errors.
  • The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as DHCP servers, security policies, and so on.
  • For increased security, you can create a captive portal for the switch to allow only specific user groups access to the resources connected to the switch.

Some of the difference between software and hardware switches are:

Feature

Software switch

Hardware switch

Processing

Packets are processed in software by the CPU.

Packets are processed in hardware by the hardware switch controller, or SPU where applicable.

STP

Not Supported

Supported

Wireless SSIDs

Supported

Not Supported

Intra-switch traffic

Allowed by default. Can be explicitly set to require a policy.

Allowed by default.

To create a software switch in the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Set Type to Software Switch.
  4. Configure the Interface Name, Virtual Domain, Interface Members, and other fields.

    To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be set to 0.0.0.0/0.0.0.0.

  5. Click OK.

To create a software switch in the CLI:
config system switch-interface
    edit <switch-name>
        set type switch
        set member <interface_list>
    next
end
config system interface
    edit <switch_name>
        set ip <ip_address>
        set allowaccess https ssh ping
    next
end

To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be set to 0.0.0.0/0.0.0.0.

Example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate wireless syncing from an iPhone and a local computer. Because synching between two subnets is problematic, putting both interfaces on the same subnet the synching will work. The software switch will accomplish this.

  1. Clear the interfaces and back up the configuration.
    1. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
    2. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and that there are no other dependencies on these interfaces.
    3. Save the current configuration so that if something doesn’t work, recovery can be quick.
  2. Merge the interfaces.

    Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12.

    Use the following CLI commands to create the switch, add the IP, and then set the administrative access for HTTPS, SSH and Ping.

    config system switch-interface
        edit synchro
            set type switch
            set member dmz1 wifi
        next
    end
    config system interface
        edit synchro
            set ip 10.10.21.12
            set allowaccess https ssh ping
        next
    end

    When the soft switch is set up, you now add security policies, DHCP servers, and any other configuration you normally do to configure interfaces on the FortiGate unit.

Software switch

A software switch, or soft switch, is a virtual switch that is implemented at the software or firmware level and not at the hardware level. A software switch can be used to simplify communication between devices connected to different FortiGate interfaces. For example, using a software switch, you can place the FortiGate interface connected to an internal network on the same subnet as your wireless interfaces. Then devices on the internal network can communicate with devices on the wireless network without any additional configuration on the FortiGate unit, such as additional security policies.

A software switch can also be useful if you require more hardware ports for the switch on a FortiGate unit. For example, if your FortiGate unit has a 4-port switch, WAN1, WAN2, and DMZ interfaces, and you need one more port, you can create a soft switch that can include the four-port switch and the DMZ interface, all on the same subnet. These types of applications also apply to wireless interfaces, virtual wireless interfaces, and physical interfaces such as those in FortiWiFi and FortiAP units.

Similar to a hardware switch, a software switch functions like a single interface. A soft switch has one IP address and all the interfaces in the software switch are on the same subnet. Traffic between devices connected to each interface are not regulated by security policies, and traffic passing in and out of the switch are controlled by the same policy.

When setting up a software switch, consider the following:

  • Ensure you have a back up of the configuration.
  • Ensure you have at least one port or connection such as the console port to connect to the FortiGate unit. If you accidentally combine too many ports, you need a way to undo errors.
  • The ports that you include must not have any link or relation to any other aspect of the FortiGate unit, such as DHCP servers, security policies, and so on.
  • For increased security, you can create a captive portal for the switch to allow only specific user groups access to the resources connected to the switch.

Some of the difference between software and hardware switches are:

Feature

Software switch

Hardware switch

Processing

Packets are processed in software by the CPU.

Packets are processed in hardware by the hardware switch controller, or SPU where applicable.

STP

Not Supported

Supported

Wireless SSIDs

Supported

Not Supported

Intra-switch traffic

Allowed by default. Can be explicitly set to require a policy.

Allowed by default.

To create a software switch in the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Interface.
  3. Set Type to Software Switch.
  4. Configure the Interface Name, Virtual Domain, Interface Members, and other fields.

    To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be set to 0.0.0.0/0.0.0.0.

  5. Click OK.

To create a software switch in the CLI:
config system switch-interface
    edit <switch-name>
        set type switch
        set member <interface_list>
    next
end
config system interface
    edit <switch_name>
        set ip <ip_address>
        set allowaccess https ssh ping
    next
end

To add an interface to a software switch, it cannot be referenced by an existing configuration and its IP address must be set to 0.0.0.0/0.0.0.0.

Example

For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1 interface to facilitate wireless syncing from an iPhone and a local computer. Because synching between two subnets is problematic, putting both interfaces on the same subnet the synching will work. The software switch will accomplish this.

  1. Clear the interfaces and back up the configuration.
    1. Ensure the interfaces are not used for other security policy or for other use on the FortiGate unit.
    2. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the interface and that there are no other dependencies on these interfaces.
    3. Save the current configuration so that if something doesn’t work, recovery can be quick.
  2. Merge the interfaces.

    Merge the WiFi port and DMZ1 port to create a software switch named synchro with an IP address of 10.10.21.12.

    Use the following CLI commands to create the switch, add the IP, and then set the administrative access for HTTPS, SSH and Ping.

    config system switch-interface
        edit synchro
            set type switch
            set member dmz1 wifi
        next
    end
    config system interface
        edit synchro
            set ip 10.10.21.12
            set allowaccess https ssh ping
        next
    end

    When the soft switch is set up, you now add security policies, DHCP servers, and any other configuration you normally do to configure interfaces on the FortiGate unit.