FortiGate: Software-/ Hardware-/ VLAN-Switch

I am still a bit confused about the different switch types a FortiGate firewall is able to handle. While there are a lot of information on the Internet about the “internal-switch-mode” of “switch/interface“, I have not found any good information about the differences between the “Hardware/Software/VLAN” switch types that are configured via the GUI or via the “virtual-switch-vlan enable” CLI command. Though I still don’t know exactly all differences, I am trying to explain some of them here.

Possibilities

This table lists the possible switch types. The first column shows the configured switch mode ( set internal-switch-mode {interface|switch} ), the second is the VLAN switch mode ( set virtual-switch-vlan {enable|disable} ), and the last column shows the possible switch types that can be configured within these scenarios (software, hardware, VLAN):

Switch Mode
set internal-switch-mode ...
VLAN Switch Mode
set virtual-switch-vlan ...
Switch Types
switchdisableSoftware Switch
switchenableSoftware Switch
interfacedisableHardware Switch
Software Switch
interfaceenableVLAN Switch
Software Switch

Mode: Switch or Interface

This is explained on many pages on the Internet and even on some official Fortinet documentations such as here. Mostly, you want the “interface” mode in which you can configure every interface on a FortiGate to be an unique layer-3 interface. Currently, when a FortiGate is factory reset, the default is “interface” mode:

 

Type: Software, Hardware, or VLAN

Now it’s getting a bit more interesting. As we have seen already, the software switch is present in any scenario, while the other ones are only possible in the “interface” mode. In any case, each created switch type must be configured with an IP address.

  • Software Switch: This is a logical (!) bound of interfaces of different types. It can be used if physical interfaces and WiFi interfaces/SSIDs/etc. should be bound together. (I am not sure, but it sounds like this switch type is controlled merely by the CPU. Maybe it’s not that fast compared to the hardware switch?)
  • Hardware Switch: A hardware switch bounds hardware interfaces together that are physically present on the same integrated switch. This is hardware dependent. Not all FortiGate firewalls can be configured in the same way for hardware switches.
  • VLAN Switch: This is a type of hardware switch that adds the VLAN ID to it. With this feature it is possible to create a hardware switch within an already present VLAN on the network. This VLAN can be connected through another interface port in trunk mode to transport this VLAN to some other layer-2 switches.

I hope this bring a bit more understanding? Please write a comment if I missed something or explained something wrong.

Featured image “HP A5800 Switch Stack” by Johannes Weber is licensed under CC BY 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *