Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎07-20-2020 01:40 PM Edited on ‎12-15-2021 11:28 PM By Anonymous

Article Id 194636

Technical Note: WAP behavior when connected to WAP Uplink ports

Description

When a Wireless Access Point (WAP) connects to a managed switch port, the port type is changed to "WAP Uplink" in the appliance database. This article describes the expected behavior for WAP Uplink ports when the following scenarios apply.  For more information regarding WAP uplinks and other uplink types, refer to the Port uplink types section of the Administration Guide in the Fortinet Document Library.
 

 

 
Scenario 1:  WAP with Role matching Network Device Role - Port is not a member of any groups

Current VLAN will not be changed on the port.

 
Scenario 2:  WAP with Role matching Network Device Role - Port is a member of Role Based Access

Current VLAN will be changed to the VLAN dictated by the Network Device Role Mapping.

 
 

Scenario 3:  WAP with Role matching Network Device Role - Port is a member of Reset Forced Default System Group
Current VLAN will be changed to the ports Default VLAN.

 
Scenario 4:  WAP with Role matching Network Device Role - Port is a member of Reset Forced Default & Role Based Access System Groups (Role based VLAN and Default VLAN are different)
 
This configuration is not recommended.  It is possible for the VLAN configuration to cycle constantly between the VLAN defined by the role and Default:
  1. WAP is connected to switch port. 
  2. Current VLAN changes to the VLAN dictated by the Network device Role Mapping during a Layer 2 poll.
  3. Current VLAN changes to the ports Default VLAN after the time-frame defined by the VLAN Reset Delay.
  4. Current VLAN remains configured for the Default VLAN until the next Layer 2 Poll.  At which point, step 2 occurs and the cycle continues to repeat.
This behavior can occur when the WAP is tunneling back to the controller or if there are no wireless clients connected to the WAP.
 
It is recommended the Default VLAN should be the same value as the Role Based VLAN (Scenario 5).
 
 

Scenario 5:  WAP with Role matching Network Device Role - Port is a member of Reset Forced Default & Role Based Access (Role based VLAN and default VLAN are the same)
Current VLAN will not be changed on the port once it is in the Role/Default VLAN.

 
Scenario 6:  WAP not matching Network Device Role - Port is not a member of any groups

Current VLAN will not be changed on the port regardless.

 
Scenario 7:  WAP not matching Network Device Role - Port is a member of Role Based Access

Current VLAN will be changed to the ports Default VLAN.

 
Scenario 8:  WAP not matching Network Device Role - Port is a member of Reset Forced Default

Current VLAN will be changed to the ports Default VLAN.

 
Scenario 9:  WAP not matching Network Device Role - Port is a member of Reset Forced Default & Role Based Access

Current VLAN will be changed to the ports Default VLAN.

 
 
 

 

Labels:
679
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.