{{ secondMenu.name }}
In Fortigate, a softswitch is a Layer-2 switching interface that aggregates multiple physical or virtual interfaces into a single broadcast domain. All interfaces that join the softswitch behave as members of the same logical switch, and Ethernet frames are forwarded between them just like in a traditional Layer-2 switch.
Although a softswitch operates primarily at Layer-2, Fortigate allows you to assign a Layer-3 IP address directly on the softswitch interface. When an IP address is configured on the softswitch, it functions as the gateway for the untagged broadcast domain—similar to an SVI (Switch Virtual Interface) on a traditional switch. This gives the softswitch domain basic Layer-3 routing capability.
When VLAN sub-interfaces are created under a softswitch, each VLAN sub-interface becomes an independent Layer-3 logical interface. Each sub-interface has its own VLAN ID and IP address, just like VLAN sub-interfaces configured on a regular trunk port. In this scenario:
The IP address of the softswitch interface does not directly interact with the VLAN sub-interfaces, because each VLAN sub-interface forms its own isolated broadcast domain.
Communication between VLAN sub-interfaces is handled through Fortigate’s Layer-3 routing engine and is controlled by firewall policies.
The softswitch interface’s own IP only applies to untagged traffic (the native VLAN) and does not participate in the L2/L3 processing of traffic within VLAN sub-interfaces.
Therefore, when a softswitch interface has its own Layer-3 address and also contains multiple VLAN sub-interfaces, the communication model works as follows:
Softswitch main interface: Acts as the gateway for the untagged Layer-2 domain.
VLAN sub-interfaces: Serve as individual Layer-3 gateways for their respective VLANs.
Inter-VLAN communication: Requires L3 routing and firewall policies on the Fortigate.
Traffic between the softswitch main interface and any VLAN interface: Also goes through L3 routing and policies; they do not communicate at Layer-2.
1. Scenario where the softswitch has an IP address and carries only untagged traffic
(equivalent to Fortigate softswitch + IP)
In this scenario, the Fortigate softswitch interface functions both as a Layer-2 switching domain and as a Layer-3 gateway for untagged traffic. When migrating to a Sangfor firewall, the recommended approach is as follows:
1.1 Configure multiple physical interfaces as Layer-2 interfaces.
1.2 Add these Layer-2 interfaces into the same Layer-2 domain (i.e., the same switching instance).
1.3 Configure the Access ID or Native VLAN on these Layer-2 interfaces as VLAN 1 (corresponding to the untagged broadcast domain on Fortigate).
1.4 Create a VLAN interface with VLAN ID 1 on the firewall (for example, vlan1).
1.5 Assign the original softswitch IP address to this VLAN 1 interface so it can act as the Layer-3 gateway for untagged traffic.
Using this design, the Sangfor firewall can achieve the same behavior as the Fortigate softswitch (with Layer-3 IP), including:
Multiple physical ports communicating as Layer-2 switch ports
Untagged traffic converging on VLAN 1
The VLAN 1 interface acting as the Layer-3 gateway
2. Scenario where the softswitch has an IP address and contains VLAN 100 and VLAN 200
(softswitch + vlan100 + vlan200)
In this scenario, the Fortigate softswitch has a Layer-3 IP for untagged traffic and also contains two VLAN sub-interfaces: VLAN 100 and VLAN 200. The migration plan is as follows:
2.1 Configure multiple physical interfaces as Layer-2 interfaces.
2.2 Add these physical interfaces into the same Layer-2 domain, matching the behavior of the Fortigate softswitch.
2.3 Configure the VLAN mode of these Layer-2 interfaces as trunk, and allow VLANs 1 (untagged/native VLAN), 100, and 200 on the trunk.
2.4 Create separate VLAN interfaces for VLAN 1, VLAN 100, and VLAN 200 (for example, vlan1, vlan100, vlan200).
2.5 Assign the Fortigate softswitch IP, VLAN 100 IP, and VLAN 200 IP to the corresponding VLAN interfaces on the Sangfor firewall.
With this configuration, the Sangfor firewall can achieve the following functions:
Multiple physical ports operating as trunk interfaces carrying untagged, VLAN 100, and VLAN 200 traffic
VLAN 1, VLAN 100, and VLAN 200 Layer-3 gateways all provided by the firewall’s VLAN interfaces
Inter-VLAN communication controlled by firewall Layer-3 policies, consistent with Fortigate behavior
{{ $t('index.defaultHeader.chromeBrowserTip') }}