FortiGate VLANs: tagged and untagged VLANs on the same physical interface
I have come across this question quite a bit lately, and thought it may be helpful to post a quick how to. In this post we'll take a look at a port configuration on a Cisco switch, and configure the FortiGate accordingly. You can choose to configure this on any model switch, I am only using Cisco as reference due to it being the most commonly understood from a configuration standpoint.
FortiOS Versions: This is tested in FortiOS 6.0 and above
The interface in question is not a part of a virtual switch (hardware or software)
With the boring stuff out of the way, let's get into the fun stuff.
Based on the configuration snippet below, we want to support both tagged and an untagged vlan from the FortiGate:
! interface GigabitEthernet0/1 switchport mode trunk switchport trunk native vlan 3 switchport trunk allowed vlan 3-4 !
Here's how we configure that on a FortiGate:
Here's what this looks like in CLI:
config system interface edit "internal6" set vdom "root" set ip 10.0.3.2 255.255.255.0 set allowaccess ping https ssh http fabric set type physical set alias "VLAN3 - untagged" set device-identification enable set lldp-transmission enable set role lan set snmp-index 12 next end
It's pretty much configured like a standard interface - because it is.
In Network > Interaces Click on "Create New > Interface"
Note the differences, this is a "VLAN" interface, and it's "tied" to "internal6". Here's how it looks in CLI:
config system interface edit "vl_4_lan" set vdom "root" set ip 10.0.4.2 255.255.255.0 set allowaccess ping https ssh http fabric set alias "VLAN 4" set device-identification enable set role lan set snmp-index 14 set interface "internal6" set vlanid 4 next end
You can continue to add VLANs using the same method as needed.
Simply put the FortiGate doesn't really care what VLAN your "native/untagged" VLAN is, it will just assume that any packets that don't have a 802.1Q(VLAN) tag associated with them that it will be on that subnet.
That's all there is to it, thank you for reading, I hope this helps.