Staff

Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate tagged/untagged traffic

Forum|Forum|16 years ago
August 25, 2009
2 replies
255417 views

Description

This article describes the steps to create a VLAN interface (802.1q tag) on a FortiGate.

Scope

Any FortiGate.

Solution

Note about traffic tagging:
A VLAN interface is attached to a physical interface.

When the FortiGate sends out traffic to the physical interface level, the egress packets are untagged, whereas the packets sent on a VLAN level are tagged. It is also important to note that FortiGate, being a Layer 3 device, does not tag ingress packets; it is the responsibility of the preceding device to add VLAN tags if required.

If on a particular VLAN there are destination devices in the network that do not accept tagged packets, it will be required to connect the FortiGate to an intermediate L2 unit (a switch, for example) configured with the same VLAN(s).

Below is an example structure with a FortiGate with VLAN ID 1 attached to port1:

Endpoint ----VLAN1 (on port2) -----> Tagged packets -----> [FortiGate] ---- port1 -----> Untagged packets.

Configuration steps to add VLAN 100 to the physical interface port1 through both the CLI and GUI are provided in this article. The VLAN will be named My_VLAN_100.

Notes:

Once created, this interface is subject to the same rules as physical interfaces. Firewall Policies must be defined to allow/deny traffic to/from this interface, and other common objects like Firewall Address can be assigned to it.
The physical interface on which a VLAN is attached does not require any IP address settings.
The physical interface on which the VLAN is attached will share the bandwidth with all the VLANs attached to the physical interface.
The VLAN ID range is from 1 to 4094. VLAN ID of 0 is reserved for high-priority frames, and 4095 is reserved.

Configuration steps from the GUI:

Go to System -> Network and select 'Create New' -> 'Interface'.

Give a Name to the VLAN interface.

Choose the physical interface on which to attach the VLAN.

Give the desired VLAN ID. All other fields depend on individual requirements, such as the IP address and the ping server.

After completing the above steps, select 'Ok' to save the new VLAN interface.

Notes:

Remember that the minimum VLAN ID value is 2.
A switch should be between the End device and FortiGate.
If the end device is directly connected to FortiGate, the end device should be able to configure a VLAN ID.

To verify, check the interface in System -> Network -> Interfaces by expanding the physical port. There, the new VLAN should be displayed:

Configuration steps in the CLI for the above VLAN:

config system interface
    edit "My_VLAN_100"
        set vdom root
        set ip 192.168.100.1/24
        set interface internal1
        set vlanid 100

set allow access ping https ssh
next
end

To test a direct connection via Laptop/PC (Windows), the End device should configure a VLAN ID on the network adapter.

Open Device Manager: Press Windows Key + R, type devmgmt.msc, and press Enter, or search for 'Device Manager'.
Find Network Adapter: Expand 'Network adapters', 'right-click' the Ethernet or Wi-Fi adapter, and select 'Properties'.
Access Advanced Settings: Go to the 'Advanced' tab.
Set VLAN ID: Scroll down to find "VLAN ID" (or similar) in the list, select it, and enter the desired VLAN ID number (e.g., 10, 50).
Apply: Select OK. The connection might briefly drop and reconnect as it joins the new VLAN.

Note:
If the VLAN is tagged, it will be allowed on the trunk port between the FortiGate, switches, or routers. Also, the trunk port will carry native VLAN traffic as untagged traffic.
If the VLAN is untagged, it will be allowed on the access port.

Related articles:

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces

Technical Tip: rules about VLAN configuration and VDOM interface assignment

Technical Tip: Configure Inter-VLAN Routing