201106SoftwareSwitchWiFi-v1 5

agodwin

Wireless Interfaces with Software Switch

• Download [pdf]



File Info : application/pdf, 7 Pages, 511.80KB

Document Document

Bridging Physical and Wireless Interfaces with Software Switch
Configuration Example
Introduction
Introduced in FortiOS 3.0 MR6, software switch is a type of interface that can be configured to form a bridge between two or more physical or wireless FortiGate interfaces. Once the physical and wireless interfaces are added to a software switch interface, they become interface members, and as such they cannot longer be accessed as individual interfaces. For most part, a software switch interface functions like a normal interface: it can be configured with a single IP address, it can be added to a zone, and it can be used in the definition of firewall policies. It should be noted however that software switches interfaces have some limitations, as described in "Deployment Considerations".
This document illustrates the steps to configure a software switch interface to bridge a physical and a wireless interface, forming a single broadcast domain (Layer 2 segment). This configuration is useful in environments where applications require physical and wireless users to be in the same Layer 2 segment. While, using a software switch interface is a viable solution, it is critical to understand the security and performance implications that derive from bridging physical and wireless interfaces into a single broadcast domain. These are discussed next in "Deployment Considerations".
Deployment Considerations
The following are important aspects that should be understood prior to using a software switch interface to bridge physical and wireless interfaces:
· Bridging a physical and wireless interface merges two broadcast domains into one, making the scenario more vulnerable to broadcast and multicast storms.
· Bridging a physical and wireless interface goes against the general security best common practice of keeping the wireless and wired infrastructures separated. Connecting physical and wireless segments together implies traffic may be forwarded between the two media types, increasing the chances for interception, redirection and replay attacks.
· Traffic handled by a software switch interface is CPU-processed and not hardware-accelerated. · Software switch member interfaces cannot be monitored by HA or be used as heart beat devices.

Requirements
A FortiWiFi or FortiGate appliance running FortiOS 3.0 MR6 or later is required to configure a software switch interface.
This configuration example uses a FortiGate 50B (FortiOS 4.0 MR3-build0441) and FortiAP 220B (v4.0- build212). The same configuration procedure has been successfully tested with a FortiWiFi 60C (FortiOS 4.0 MR3-build0441) and FortiAP 220A (v4.0-build214).
Network Diagram
The diagram below illustrates the network topology used. The wan2 physical interface of the FG-50B connects to the Internet, while the internal physical interface connects to a physical switch in the internal network (192.168.40.5/24). The FortiAP connects to the same internal switch serving the internal users. Wireless is configured with an SSID Interna_Wifi.
Figure 1 ­ Network Diagram

Configuration Procedure
The configuration procedure includes the following steps: · Create software switch interface · Configure DHCP server and scope to be shared by the wired and wireless devices · Configure the necessary firewall policies for the wired and wireless users · Verify configuration is working as expected
Note: The configuration procedure in this example assumes that the wireless interface and SSID have been already configured, and that the FortiAP is configured and connected to the wireless controller on the FortiGate appliance.
Figure 2 ­ FortiGate Interfaces (before Software Switch configuration)
Step 1 ­ Create Software Switch Interface The first step is to create the software switch interface, assign it an interface name and configure an IP address. Using the web-based manager go to System > Network > Interface and click on Create New. Note: Only physical and wireless interfaces that are not been used can be associated to the software switch. Figure 2 shows the software interface configuration used in our example, called "InternalNetwork". The software switch interface is associated to the "Interna_Wifi" wireless interface and the "internal" physical interface. The software interface is configured with a static IP address of "192.168.50.1". Administrative access is enabled for HTTPS, PING and SSH.

Figure 3 ­ Software Switch Interface
The same configuration can be done by using FortiOS CLI:
config system switch-interface edit InternalNetwork set type switch set member Interna_Wifiinternal end config system interface editInternalNetwork setip 192.168.50.1 255.255.255.0 setallowaccess ping https ssh set type switch end

Step 2 ­ Configure a DHCP Server Create a DHCP server and address scope to be shared by wired and wireless users. Associate the DHCP server to the software switch interface you configured in the previous step. Using the web-based manager go to System > Network >DHCP Server and click on Create New. This configuration is shown in the figure below. A DHCP pool of IP addresses is defined as 192.168.50.10192.168.50.200, and the default gateway is set to the IP address assigned to the software switch interface, which is 192.168.50.1
Figure 4 ­ DHCP Server
The same steps but using FortiOS CLI:
config system dhcp server edit 0 set default-gateway 192.168.50.1 setdns-service default set interface InternalNetwork configip-range edit 0 set start-ip 192.168.50.10 set end-ip 192.168.50.200 next end setnetmask 255.255.255.0 end
Step 3 ­ Configure Firewall Policy

The appropriate firewall policies need to be configured in order to allow wired and wireless users to access the Internet or other resources. Using the web-based manager go to Firewall>Policy and click on Create New. In this example a firewall policy is defined allowing any traffic from the internal network (Network_192.168.50.0) to any destination on the wan2 interface connecting towards the Internet. NAT is also enabled as shown in Figure 4.
Figure 5 ­ Firewall Policy
The same configuration but this time using FortiOS CLI:
config firewall policy edit 0 setsrcintf InternalNetwork setdstintf wan2 setsrcaddr Network_192.168.50.0 setdstaddr all set action accept set schedule always set service ANY setnat enable next end
Step 3 ­ Verify Configuration At this point wired and wireless users should be able to communicate, and to access the Internet. A simple way to verify if the software switch interface configuration is working as expected is to check the DHCP lease table. Both wired and wireless users should be given IP addresses in the same subnet, 192.168.50.0/24 in our example. In order to see the DHCP lease table using the web-based manager go to System >Monitor>DHCP Monitor.
Figure 6 ­ DHCP Monitor

Using FortiOS CLI use the following command:
executedhcp lease-list [interface_name]
Related Information
For more information on how to configure and troubleshoot FortiGate and FortiWifi appliances, please visit: http://docs.fortinet.com/fgt.html
Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.