Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    VLAN interface templates for FortiSwitch devices

    VLAN interface templates for FortiSwitch devices

    You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate.

    For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.

    To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:

    • root VDOM: the interface names are the same as the template names.
    • other VDOMs: the interface name is created from the template name and the SNMP index of the interface. For example, if the template name is quarantined and the SNMP index is 29, then the interface name is quarantined.29.

    You can also customize the FortiLink management VLAN per FortiLink interface:

    config system interface
    edit <fortilink interface>
        set fortilink enable
        set switch-controller-mgmt-vlan <integer>
    next
end

    The management VLAN can be a number from 1 to 4094. the default value is 4094.

    Create VLAN interface templates

    To configure the VLAN interface templates:
    config switch-controller initial-config template
    edit <template_name>
        set vlanid <integer>
        set ip <ip/netmask>
        set allowaccess {options}
        set auto-ip {enable | disable}
        set dhcp-server {enable | disable}
    next
end

    <template_name>

    The name, or part of the name, of the template.

    vlanid <integer>

    The unique VLAN ID for the type of traffic the template is assigned to (1 - 4094, default = 4094)

    ip <ip/netmask>

    The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled.

    allowaccess {options}

    The permitted types of management access to this interface.

    auto-ip {enable | disable}

    When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global).

    dhcp-server {enable | disable}

    When enabled, the switch-controller will create a DHCP server for the switch VLAN interface
    To assign the templates to the specific traffic types:
    config switch-controller initial-config vlans
    set default-vlan <template>
    set quarantine <template>
    set rspan <template>
    set voice <template>
    set video <template>
    set nac <template>
end
    default-vlan <template>

    Default VLAN assigned to all switch ports upon discovery.
    quarantine <template>

    VLAN for quarantined traffic.
    rspan <template>

    VLAN for RSPAN/ERSPAN mirrored traffic.
    voice <template>

    VLAN dedicated for voice devices.
    video <template>

    VLAN dedicated for video devices.
    nac <template>

    VLAN for NAC onboarding devices.
    To configure the network subnet that is reserved for the switch controller:
    config system global
    set switch-controller-reserved-network <ip/netmask>
end

    The default value is 169.254.0.0 255.255.0.0.

    Example

    In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.

    To configure six templates and apply them to VLAN traffic types:
    config switch-controller initial-config template
    edit "default"
        set vlanid 1
        set auto-ip disable
    next
    edit "quarantine"
        set vlanid 4093
        set dhcp-server enable
    next
    edit "rspan"
        set vlanid 4092
        set dhcp-server enable
    next
    edit "voice"
        set vlanid 4091
        set dhcp-server enable
    next
    edit "video"
        set vlanid 4090
        set dhcp-server enable
    next
    edit "onboarding"
        set vlanid 4089
        set dhcp-server enable
    next
end
    config switch-controller initial-config vlans
    set default-vlan "default"
    set quarantine "quarantine"
    set rspan "rspan"
    set voice "voice"
    set video "video"
    set nac "onboarding"
end
    To see the automatically created VLANs and DHCP servers:
    show system interface
    edit "default"
        set vdom "root"
        set snmp-index 24
        set switch-controller-feature default-vlan
        set interface "fortilink"
        set vlanid 1
    next
    edit "quarantine"
        set vdom "root"
        set ip 169.254.11.1 255.255.255.0
        set description "Quarantine VLAN"
        set security-mode captive-portal
        set replacemsg-override-group "auth-intf-quarantine"
        set device-identification enable
        set snmp-index 25
        set switch-controller-access-vlan enable
        set switch-controller-feature quarantine
        set color 6
        set interface "fortilink"
        set vlanid 4093
    next
    ...
end
    show system dhcp server
    edit 2
        set dns-service local
        set ntp-service local
        set default-gateway 169.254.1.1
        set netmask 255.255.255.0
        set interface "fortilink"
        config ip-range
            edit 1
                set start-ip 169.254.1.2
                set end-ip 169.254.1.254
            next
        end
        set vci-match enable
        set vci-string "FortiSwitch" "FortiExtender"
    next
    edit 3
        set dns-service default
        set default-gateway 169.254.11.1
        set netmask 255.255.255.0
        set interface "quarantine"
        config ip-range
            edit 1
                set start-ip 169.254.11.2
                set end-ip 169.254.11.254
            next
        end
        set timezone-option default
    next
    ...
end
    Previous
    Next

    VLAN interface templates for FortiSwitch devices

    VLAN interface templates for FortiSwitch devices

    You can create configuration templates that define the VLAN interfaces and are applied to new FortiSwitch devices when they are discovered and managed by the FortiGate.

    For each VDOM, you can create templates, and then assign those templates to the automatically created switch VLAN interfaces for six types of traffic. The network subnet that is reserved for the switch controller can also be customized.

    To ensure that switch VLAN interface names are unique for each system, the following naming rules are used:

    • root VDOM: the interface names are the same as the template names.
    • other VDOMs: the interface name is created from the template name and the SNMP index of the interface. For example, if the template name is quarantined and the SNMP index is 29, then the interface name is quarantined.29.

    You can also customize the FortiLink management VLAN per FortiLink interface:

    config system interface
    edit <fortilink interface>
        set fortilink enable
        set switch-controller-mgmt-vlan <integer>
    next
end

    The management VLAN can be a number from 1 to 4094. the default value is 4094.

    Create VLAN interface templates

    To configure the VLAN interface templates:
    config switch-controller initial-config template
    edit <template_name>
        set vlanid <integer>
        set ip <ip/netmask>
        set allowaccess {options}
        set auto-ip {enable | disable}
        set dhcp-server {enable | disable}
    next
end

    <template_name>

    The name, or part of the name, of the template.

    vlanid <integer>

    The unique VLAN ID for the type of traffic the template is assigned to (1 - 4094, default = 4094)

    ip <ip/netmask>

    The IP address and subnet mask of the switch VLAN interface. This can only be configured when auto‑ip is disabled.

    allowaccess {options}

    The permitted types of management access to this interface.

    auto-ip {enable | disable}

    When enabled, the switch-controller will pick an unused 24 bit subnet from the switch‑controller‑reserved‑network (configured in config system global).

    dhcp-server {enable | disable}

    When enabled, the switch-controller will create a DHCP server for the switch VLAN interface
    To assign the templates to the specific traffic types:
    config switch-controller initial-config vlans
    set default-vlan <template>
    set quarantine <template>
    set rspan <template>
    set voice <template>
    set video <template>
    set nac <template>
end
    default-vlan <template>

    Default VLAN assigned to all switch ports upon discovery.
    quarantine <template>

    VLAN for quarantined traffic.
    rspan <template>

    VLAN for RSPAN/ERSPAN mirrored traffic.
    voice <template>

    VLAN dedicated for voice devices.
    video <template>

    VLAN dedicated for video devices.
    nac <template>

    VLAN for NAC onboarding devices.
    To configure the network subnet that is reserved for the switch controller:
    config system global
    set switch-controller-reserved-network <ip/netmask>
end

    The default value is 169.254.0.0 255.255.0.0.

    Example

    In this example, six templates are configured with different VLAN IDs. Except for the default template, all of them have DHCP server enabled. When a FortiSwitch is discovered, VLANs and the corresponding DHCP servers are automatically created.

    To configure six templates and apply them to VLAN traffic types:
    config switch-controller initial-config template
    edit "default"
        set vlanid 1
        set auto-ip disable
    next
    edit "quarantine"
        set vlanid 4093
        set dhcp-server enable
    next
    edit "rspan"
        set vlanid 4092
        set dhcp-server enable
    next
    edit "voice"
        set vlanid 4091
        set dhcp-server enable
    next
    edit "video"
        set vlanid 4090
        set dhcp-server enable
    next
    edit "onboarding"
        set vlanid 4089
        set dhcp-server enable
    next
end
    config switch-controller initial-config vlans
    set default-vlan "default"
    set quarantine "quarantine"
    set rspan "rspan"
    set voice "voice"
    set video "video"
    set nac "onboarding"
end
    To see the automatically created VLANs and DHCP servers:
    show system interface
    edit "default"
        set vdom "root"
        set snmp-index 24
        set switch-controller-feature default-vlan
        set interface "fortilink"
        set vlanid 1
    next
    edit "quarantine"
        set vdom "root"
        set ip 169.254.11.1 255.255.255.0
        set description "Quarantine VLAN"
        set security-mode captive-portal
        set replacemsg-override-group "auth-intf-quarantine"
        set device-identification enable
        set snmp-index 25
        set switch-controller-access-vlan enable
        set switch-controller-feature quarantine
        set color 6
        set interface "fortilink"
        set vlanid 4093
    next
    ...
end
    show system dhcp server
    edit 2
        set dns-service local
        set ntp-service local
        set default-gateway 169.254.1.1
        set netmask 255.255.255.0
        set interface "fortilink"
        config ip-range
            edit 1
                set start-ip 169.254.1.2
                set end-ip 169.254.1.254
            next
        end
        set vci-match enable
        set vci-string "FortiSwitch" "FortiExtender"
    next
    edit 3
        set dns-service default
        set default-gateway 169.254.11.1
        set netmask 255.255.255.0
        set interface "quarantine"
        config ip-range
            edit 1
                set start-ip 169.254.11.2
                set end-ip 169.254.11.254
            next
        end
        set timezone-option default
    next
    ...
end
    Previous
    Next