Fortinet black logo

Administration Guide

Creating FortiSwitch VLANs

Creating FortiSwitch VLANs

To create a FortiSwitch VLAN:
  1. Go to FortiSwitch Manager > FortiSwitch Templates.
  2. In the tree menu, select VLANs.
  3. In the content pane, click Create New in the toolbar. The Create New VLAN Definition window opens.

  4. Enter the following information, then click OK to add the new VLAN.

    Interface Name

    Enter a name for the interface.

    VLAN ID

    Enter the VLAN ID

    Role

    Select the role for the interface: DMZ, LAN, UNDEFINED, or WAN.

    Estimated Bandwidth

    Enter the estimated upstream and downstream bandwidths.

    This option is only available when Role is WAN.

    Address

    Addressing mode

    The addressing mode.

    IP/Network Mask

    Enter the IP address and netmask.

    IPv6 Addressing mode

    Select the IPv6 addressing mode: Manual or DHCP.

    IPv6 Address/Prefix

    Enter the IPv6 address.

    This option is only available when IPv6 Addressing mode is Manual.

    Restrict Access

    Administrative Access

    Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM,FTM,HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.

    IPv6 Administrative Access

    Select the allowed administrative service protocols from: CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET.

    DHCP Server

    Turn the DHCP server on or off.

    This option is only available when Role is LAN or UNDEFINED.

    DHCP Server IP

    Enter the DHCP server IP address.

    This option is only available when DHCP Server is ON and Mode is Relay.

    Address Range

    Configure address ranges for DHCP. Click Create to create a new range. Ranges can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    Netmask

    Enter the netmask.

    This option is only available when DHCP Server is ON and Mode is Server.

    Default Gateway

    Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    DNS Server

    Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify.

    This option is only available when DHCP Server is ON and Mode is Server.

    DNS Server 1 - 3

    Enter the DNS server IP addresses.

    This option is only available when DHCP Server is ON, Mode is Server, and DNS Server is Specify.

    Mode

    Select the DHCP mode: Server or Relay.

    This option is only available when DHCP Server is ON.

    NTP Server

    Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    Time Zone

    Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list.

    This option is only available when DHCP Server is ON and Mode is Server.

    Next Bootstrap Server

    Enter the IP address of the next bootstrap server.

    This option is only available when DHCP Server is ON and Mode is Server.

    Additional DHCP Options

    In the Lease Time field, enter the lease time, in seconds. Default: 604800 seconds (7 days).

    Add DHCP options to the table. See To add additional DHCP options: for details. Options can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    MAC Reservation + Access Control

    Select the action to take with unknown MAC addresses: assign or block.

    Add MAC address actions to the table. See To add a MAC address reservation: for details. Reservations can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    Type

    Select the type: Regular, or IPsec.

    This option is only available when DHCP Server is ON.

    Networked Devices

    These options are only available when Role is DMZ, LAN, or UNDEFINED.

    Device Detection

    Turn device detection on or off.

    Active Scanning

    Turn active scanning on or off.

    This option is only available when Device Detection is on.

    Admission Control

    These options are only available when Role is LAN or UNDEFINED.

    Security Mode

    Select the security mode: CAPTIVE-PORTAL, or NONE.

    Authentication Portal

    Configure the authentication portal: Local or External. If External is selected, enter the portal in the field.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    User Access

    Select Restricted to Groups or Allow All.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    User Groups

    Select user groups from the available groups.

    This option is available when Security Mode is CAPTIVE-PORTAL and User Access is Restricted to Groups.

    Exempt Sources

    Select sources that are exempt from the available firewall addresses.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    Device

    Select user devices, device categories, and/or device groups.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    Exempt Destinations

    Select destinations that are exempt from the available firewall addresses.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    Exempt Services

    Select services that are exempt from the available firewall services.

    This option is only available when Security mode is CAPTIVE-PORTAL.

    Miscellaneous

    Scan Outgoing Connections to Botnet Sites

    Select Block, Disable, or Monitor.

    Secondary IP Address

    Turn secondary IP addresses on or off.

    Add IP addresses to the table. See To add a secondary IP address: for details. Addresses can also be edited and deleted as required.

    Status

    Comments

    Optionally, enter comments.

    Interface State

    Select if the interface is Enabled or Disabled.

    Advanced Options

    color

    Change the color of the interface to one of the 32 options.

    Per-Device Mapping

    Enable per-device mapping.

    Add mappings to the table. See To add per device mapping: for details. Mappings can also be edited and deleted as required.

To add additional DHCP options:
  1. Click Create in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens.

  2. Enter the Option Code.
  3. Select the Type: hex, ip, or string.
  4. Enter the corresponding value.
  5. Click OK to create the option.
To add a MAC address reservation:
  1. Click Create in the MAC Reservation + Access Control table toolbar. The MAC Reservation + Access Control dialog box opens.

  2. Enter the MAC Address.
  3. Select the End IP: Assign IP, Block, or Reserve IP. If reserving the IP address, enter it in the field.
  4. Optionally, enter a description.
  5. Click OK to create the reservation.
To add a secondary IP address:
  1. Click Create New in the Secondary IP address table toolbar. A dialog box opens.
  2. Enter the IP address and netmask in the IP/Network Mask field.
  3. Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM, FTM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.
  4. Click OK to add the address.
To add per device mapping:
  1. Click Create New in the Per-Device Mapping table toolbar. The Per-Device Mapping dialog box opens.

  2. Select the device to be mapped from the Mapped Device drop-down list.
  3. Enter the VLAN ID.
  4. Enter the mapped IP address and netmask in the Mapped IP/Netmask field.
  5. If required, enable DHCP Server and configure the options (options are the same as when creating a new VLAN definition).
  6. Click OK to add the device mapping.

Creating FortiSwitch VLANs

To create a FortiSwitch VLAN:
  1. Go to FortiSwitch Manager > FortiSwitch Templates.
  2. In the tree menu, select VLANs.
  3. In the content pane, click Create New in the toolbar. The Create New VLAN Definition window opens.

  4. Enter the following information, then click OK to add the new VLAN.

    Interface Name

    Enter a name for the interface.

    VLAN ID

    Enter the VLAN ID

    Role

    Select the role for the interface: DMZ, LAN, UNDEFINED, or WAN.

    Estimated Bandwidth

    Enter the estimated upstream and downstream bandwidths.

    This option is only available when Role is WAN.

    Address

    Addressing mode

    The addressing mode.

    IP/Network Mask

    Enter the IP address and netmask.

    IPv6 Addressing mode

    Select the IPv6 addressing mode: Manual or DHCP.

    IPv6 Address/Prefix

    Enter the IPv6 address.

    This option is only available when IPv6 Addressing mode is Manual.

    Restrict Access

    Administrative Access

    Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM,FTM,HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.

    IPv6 Administrative Access

    Select the allowed administrative service protocols from: CAPWAP, FGFM, HTTP, HTTPS, PING, SNMP, SSH, and TELNET.

    DHCP Server

    Turn the DHCP server on or off.

    This option is only available when Role is LAN or UNDEFINED.

    DHCP Server IP

    Enter the DHCP server IP address.

    This option is only available when DHCP Server is ON and Mode is Relay.

    Address Range

    Configure address ranges for DHCP. Click Create to create a new range. Ranges can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    Netmask

    Enter the netmask.

    This option is only available when DHCP Server is ON and Mode is Server.

    Default Gateway

    Configure the default gateway: Same as Interface IP, or Specify. If set to Specify, enter the gateway IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    DNS Server

    Configure the DNS server: Same as System DNS, Same as Interface IP, or Specify.

    This option is only available when DHCP Server is ON and Mode is Server.

    DNS Server 1 - 3

    Enter the DNS server IP addresses.

    This option is only available when DHCP Server is ON, Mode is Server, and DNS Server is Specify.

    Mode

    Select the DHCP mode: Server or Relay.

    This option is only available when DHCP Server is ON.

    NTP Server

    Configure the NTP server: Local, Same as System NTP, or Specify. If set to Specify, enter the NTP server IP address in the field.

    This option is only available when DHCP Server is ON and Mode is Server.

    Time Zone

    Configure the timezone: Disable, Same as System, or Specify. If set to Specify, select the timezone from the dropdown list.

    This option is only available when DHCP Server is ON and Mode is Server.

    Next Bootstrap Server

    Enter the IP address of the next bootstrap server.

    This option is only available when DHCP Server is ON and Mode is Server.

    Additional DHCP Options

    In the Lease Time field, enter the lease time, in seconds. Default: 604800 seconds (7 days).

    Add DHCP options to the table. See To add additional DHCP options: for details. Options can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    MAC Reservation + Access Control

    Select the action to take with unknown MAC addresses: assign or block.

    Add MAC address actions to the table. See To add a MAC address reservation: for details. Reservations can also be edited and deleted as required.

    This option is only available when DHCP Server is ON and Mode is Server.

    Type

    Select the type: Regular, or IPsec.

    This option is only available when DHCP Server is ON.

    Networked Devices

    These options are only available when Role is DMZ, LAN, or UNDEFINED.

    Device Detection

    Turn device detection on or off.

    Active Scanning

    Turn active scanning on or off.

    This option is only available when Device Detection is on.

    Admission Control

    These options are only available when Role is LAN or UNDEFINED.

    Security Mode

    Select the security mode: CAPTIVE-PORTAL, or NONE.

    Authentication Portal

    Configure the authentication portal: Local or External. If External is selected, enter the portal in the field.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    User Access

    Select Restricted to Groups or Allow All.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    User Groups

    Select user groups from the available groups.

    This option is available when Security Mode is CAPTIVE-PORTAL and User Access is Restricted to Groups.

    Exempt Sources

    Select sources that are exempt from the available firewall addresses.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    Device

    Select user devices, device categories, and/or device groups.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    Exempt Destinations

    Select destinations that are exempt from the available firewall addresses.

    This option is only available when Security Mode is CAPTIVE-PORTAL.

    Exempt Services

    Select services that are exempt from the available firewall services.

    This option is only available when Security mode is CAPTIVE-PORTAL.

    Miscellaneous

    Scan Outgoing Connections to Botnet Sites

    Select Block, Disable, or Monitor.

    Secondary IP Address

    Turn secondary IP addresses on or off.

    Add IP addresses to the table. See To add a secondary IP address: for details. Addresses can also be edited and deleted as required.

    Status

    Comments

    Optionally, enter comments.

    Interface State

    Select if the interface is Enabled or Disabled.

    Advanced Options

    color

    Change the color of the interface to one of the 32 options.

    Per-Device Mapping

    Enable per-device mapping.

    Add mappings to the table. See To add per device mapping: for details. Mappings can also be edited and deleted as required.

To add additional DHCP options:
  1. Click Create in the Additional DHCP Options table toolbar. The Additional DHCP Options dialog box opens.

  2. Enter the Option Code.
  3. Select the Type: hex, ip, or string.
  4. Enter the corresponding value.
  5. Click OK to create the option.
To add a MAC address reservation:
  1. Click Create in the MAC Reservation + Access Control table toolbar. The MAC Reservation + Access Control dialog box opens.

  2. Enter the MAC Address.
  3. Select the End IP: Assign IP, Block, or Reserve IP. If reserving the IP address, enter it in the field.
  4. Optionally, enter a description.
  5. Click OK to create the reservation.
To add a secondary IP address:
  1. Click Create New in the Secondary IP address table toolbar. A dialog box opens.
  2. Enter the IP address and netmask in the IP/Network Mask field.
  3. Select the allowed administrative service protocols from: CAPWAP, DNP, FGFM, FTM, HTTP, HTTPS, PING, PROBE-RESPONSE, RADIUS-ACCT, SNMP, SSH, and TELNET.
  4. Click OK to add the address.
To add per device mapping:
  1. Click Create New in the Per-Device Mapping table toolbar. The Per-Device Mapping dialog box opens.

  2. Select the device to be mapped from the Mapped Device drop-down list.
  3. Enter the VLAN ID.
  4. Enter the mapped IP address and netmask in the Mapped IP/Netmask field.
  5. If required, enable DHCP Server and configure the options (options are the same as when creating a new VLAN definition).
  6. Click OK to add the device mapping.