Technical Tip: VLAN 1 Sub-Interface is not working over a Trunk Link

The issue occurs because most switches treat VLAN 1 as the native (untagged) VLAN on trunk links.
FortiGate, however, requires VLAN 1 traffic to be tagged on its sub-interface, and untagged traffic will be sent or received on the physical interface.

This mismatch prevents traffic from reaching the FortiGate unless the switch configuration is adjusted.

To resolve the issue, change the native VLAN on the switch to a dummy VLAN (for example, VLAN 999), which is a VLAN not used anywhere else in the network.
This ensures VLAN 1 traffic is sent as tagged across the trunk.

SW1#configure terminal

SW1(config)#interface gi0/1

SW1(config-if)#switchport mode trunk

SW1(config-if)#switchport trunk native vlan 999

SW1(config-if)#switchport trunk allowed vlan 1,10,20

There are limitations to consider with the usage of specific VLANs. Using VLAN ID 1 should be avoided in configurations. For more information, see Technical Tip: Special/Reserved VLAN IDs on the FortiGate.

Note: FortiGate requires all VLAN sub-interfaces - including VLAN 1 - to receive 802.1Q-tagged frames for proper operation.