• Matt Sherif

FortiGate VLANs: tagged and untagged VLANs on the same physical interface

I have come across this question quite a bit lately, and thought it may be helpful to post a quick how to. In this post we'll take a look at a port configuration on a Cisco switch, and configure the FortiGate accordingly. You can choose to configure this on any model switch, I am only using Cisco as reference due to it being the most commonly understood from a configuration standpoint.


Assumptions


  • FortiOS Versions: This is tested in FortiOS 6.0 and above

  • The interface in question is not a part of a virtual switch (hardware or software)

With the boring stuff out of the way, let's get into the fun stuff.


The scenario


Based on the configuration snippet below, we want to support both tagged and an untagged vlan from the FortiGate:


!
interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk native vlan 3
  switchport trunk allowed vlan 3-4
!

Here's how we configure that on a FortiGate:


VLAN3:

Here's what this looks like in CLI:

config system interface
    edit "internal6"
        set vdom "root"
        set ip 10.0.3.2 255.255.255.0
        set allowaccess ping https ssh http fabric
        set type physical
        set alias "VLAN3 - untagged"
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 12
    next
end

It's pretty much configured like a standard interface - because it is.


VLAN 4:


In Network > Interaces Click on "Create New > Interface"


Note the differences, this is a "VLAN" interface, and it's "tied" to "internal6". Here's how it looks in CLI:

config system interface
    edit "vl_4_lan"
        set vdom "root"
        set ip 10.0.4.2 255.255.255.0
        set allowaccess ping https ssh http fabric
        set alias "VLAN 4"
        set device-identification enable
        set role lan
        set snmp-index 14
        set interface "internal6"
        set vlanid 4
    next
end

You can continue to add VLANs using the same method as needed.


Simply put the FortiGate doesn't really care what VLAN your "native/untagged" VLAN is, it will just assume that any packets that don't have a 802.1Q(VLAN) tag associated with them that it will be on that subnet.


That's all there is to it, thank you for reading, I hope this helps.

1,156 views