I am still a bit confused about the different switch types a FortiGate firewall is able to handle. While there are a lot of information on the Internet about the “internal-switch-mode” of “switch/interface“, I have not found any good information about the differences between the “Hardware/Software/VLAN” switch types that are configured via the GUI or via the “virtual-switch-vlan enable” CLI command. Though I still don’t know exactly all differences, I am trying to explain some of them here.
Possibilities
This table lists the possible switch types. The first column shows the configured switch mode (
set internal-switch-mode {interface|switch} ), the second is the VLAN switch mode (set virtual-switch-vlan {enable|disable} ), and the last column shows the possible switch types that can be configured within these scenarios (software, hardware, VLAN):
| Switch Mode set internal-switch-mode ... | VLAN Switch Mode set virtual-switch-vlan ... | Switch Types |
|---|---|---|
| switch | disable | Software Switch |
| switch | enable | Software Switch |
| interface | disable | Hardware Switch Software Switch |
| interface | enable | VLAN Switch Software Switch |
Mode: Switch or Interface
This is explained on many pages on the Internet and even on some official Fortinet documentations such as here. Mostly, you want the “interface” mode in which you can configure every interface on a FortiGate to be an unique layer-3 interface. Currently, when a FortiGate is factory reset, the default is “interface” mode:
config system global
set internal-switch-mode interface
Type: Software, Hardware, or VLAN
Now it’s getting a bit more interesting. As we have seen already, the software switch is present in any scenario, while the other ones are only possible in the “interface” mode. In any case, each created switch type must be configured with an IP address.
- Software Switch: This is a logical (!) bound of interfaces of different types. It can be used if physical interfaces and WiFi interfaces/SSIDs/etc. should be bound together. (I am not sure, but it sounds like this switch type is controlled merely by the CPU. Maybe it’s not that fast compared to the hardware switch?)
- Hardware Switch: A hardware switch bounds hardware interfaces together that are physically present on the same integrated switch. This is hardware dependent. Not all FortiGate firewalls can be configured in the same way for hardware switches.
- VLAN Switch: This is a type of hardware switch that adds the VLAN ID to it. With this feature it is possible to create a hardware switch within an already present VLAN on the network. This VLAN can be connected through another interface port in trunk mode to transport this VLAN to some other layer-2 switches.
I hope this bring a bit more understanding? Please write a comment if I missed something or explained something wrong.