Support VLAN over FortiExtender LAN-extension mode 7.6.1
This release adds support for VLANs over a FortiExtender configured as a LAN extension. VLAN support can be configured on the FortiGate Access Controller via the GUI or CLI. Once you add the VLAN configurations to the LAN extension profile, FortiGate then synchronizes the VLAN configurations to the FortiExtender and the FortiExtender applies the VLAN configuration to the soft switch. Clients from a different port in the LAN switch can set a dedicated VLAN ID and the FortiGate Access Controller can apply a dedicated firewall policy for each VLAN interface.
The following CLI commands have been added:
config extension-controller extender-profile
edit <FortiExtender Profile>
set extension lan-extension
config lan-extension
config downlinks
edit <id>
set type port
set port <port>
set pvid <vlanid>
next
end
end
next
end
portis the VLAN interface added to the FortiExtender interface.vlanidis the desired VLAN ID.
Example topology
All FortiExtender LAN traffic is sent to the FortiGate Access Controller via a Layer 2 Tunnel.
To configure VLANs on FortiExtender- GUI:
-
From the FortiGate, go to Network > FortiExtenders and configure the FortiExtender to run in LAN extension mode.
-
Go to Network > Interfaces and add VLAN interfaces to the LAN extension interface.
DHCP servers are enabled in these VLAN interfaces and will provide IP and gateway addresses to clients behind the FortiExtender.
-
Go to Network > FortiExtenders and edit the FortiExtender Profile.
-
Under LAN extension > FortiExtender downlink, click Create new to create a new downlink.
-
-
Select the interface and enter the VLAN ID you want to bind to the FortiExtender LAN switch port.
-
When you are finished, click OK.
-
In the FortiGate Access Controller, go to Policy & Objects > Firewall Policy and create a firewall policy for each VLAN interface designated as a downlink.
-
When you are done configuring on the FortiGate Access Controller, you can check the FortiExtender device to see the corresponding downlink configurations.
When a client connects to port4 of a FortiExtender LAN switch, it will get the DHCP allocation (21.21.21.100) from FortiGate vlan201. Client traffic then goes through the firewall from vlan201 to port1.
To configure VLANs on FortiExtender- CLI:
-
When the FortiGate Access Controller detects a FortiExtender, it automatically generates an extender-profile without a downlink.
config extension-controller extender-profile edit "FX200F-lanext-default" set id 0 set model FX200F set extension lan-extension config lan-extension set link-loadbalance loadbalance set ipsec-tunnel "fext-ipsec-QdzC" set backhaul-interface "port3" set backhaul-ip "1.1.1.10" config backhaul edit "1" set port port1 next edit "2" set port port2 next end end -
Configure the FortiExtender to use LAN-extension mode.
config extension-controller extender edit "FX0035919000000" set id "FX200F5919000000" set authorized enable set device-id 0 set extension-type lan-extension set profile "FX200F-lanext-default" set override-allowaccess enable set allowaccess ping telnet set override-login-password-change enable next end -
When the FortiExtender is authorized, the FortiGate will receive a LAN-extension interface.
config system interface edit "FX0035919000000" set vdom "root" set ip 172.31.0.254 255.255.255.0 set allowaccess ping ssh set type lan-extension set role lan set snmp-index 27 set ip-managed-by-fortiipam enable set interface "fext-ipsec-QdzC" next end -
Create VLAN interfaces based on the LAN-extension interface and enable DHCP servers on the VLAN interface.
config system interface edit "v201" set vdom "root" set ip 21.21.21.99 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 28 set ip-managed-by-fortiipam disable set interface "FX0035919000000" set vlanid 201 next endconfig system dhcp server edit 4 set forticlient-on-net-status disable set dns-service default set default-gateway 21.21.21.99 set netmask 255.255.255.0 set interface "v201" config ip-range edit 1 set start-ip 21.21.21.100 set end-ip 21.21.21.120 next end next end -
Configure the FortiExtender downlink interface in the LAN extension profile.
This example forces clients connected to the FortiExtender LAN switch port4 to send traffic to FortiGate VLAN 201. Clients connected to the FortiExtender LAN switch port5 to send traffic to the FortiGate VLAN 401.
config extension-controller extender-profile edit "FX200F-lanext-default" set id 0 set model FX200F set extension lan-extension config lan-extension set link-loadbalance loadbalance set ipsec-tunnel "fext-ipsec-QdzC" set backhaul-interface "port3" set backhaul-ip "1.1.1.10" config backhaul edit "1" set port port1 next edit "2" set port port2 next end config downlinks edit "downlink-v201" set type port set port port4 set pvid 201 next edit "downlink-v401" set type port set port port5 set pvid 401 next end end next end -
After configuring the extension profile in the FortiGate, the settings are automatically synced to the FortiExtender. No manual configuration is needed on the FortiExtender side.
Corresponding synced FortiExtender configurations:
config system switch-interface edit le-switch set vlan-support enable config member edit le-agg-link set type aggregate set port le-agg-link set vids 201 401 next edit port4 set type physical set port port4 set vids set pvid 201 next edit port5 set type physical set port port5 set vids set pvid 401 next end set stp disable set ts-mode disable next end -
Configure firewall policies to manage client traffic on each dedicated FortiGate VLAN.
The following shows an example firewall policy for traffic on v201:
config firewall policy edit 5 set name "v201" set uuid 7ea5b28c-810c-51ef-1a44-f92a2c95d2d3 set srcintf "v201" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end