Staff

Technical Tip: Virtual Wire Pair - Tagged VLANs dropped

Forum|Forum|4 years ago
May 5, 2022
0 replies
6271 views

Description

This article describes an issue that may be encountered when configuring a Virtual Wire Pair on a Fortigate firewall whereby tagged VLAN traffic (dot1Q) is not allowed to pass.

Scope

All FortiGates.

Solution

If tagged VLAN traffic is to pass through a virtual wire pair, an option must be enabled for this to occur; otherwise, this traffic is dropped (and cannot be seen in a sniffer).

The required option is as follows:

config system virtual-wire-pair

edit <name_of_virtual_wire_pair>

set wildcard-vlan enable

This can be further filtered to permit only the VLANs that should pass through the wire pair:

For example, to only permit VLANs 100 & 200:

set vlan-filter <100,200>

Or, to allow ALL VLANs, set the range to the full permissible range of VLANs (0 to 4094) as follows:

set vlan-filter <0-4094>

Virtual wire pairs.

Note:
wildcard-vlan and vlan-filter must be configured even when using VLAN interfaces in the VWP to allow tagged traffic through the VWP.

Related article:

Technical Tip: Virtual wire pairs

Virtual wire pair

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded