Skip to main content
hgg
hgg
New Member
June 5, 2018
Question

Add VLAN sub interfaces to a fisical interface

  • June 5, 2018
  • 3 replies
  • 13886 views

Hi

 

Right now i have a network in production with no VLANS, a change in circunstances force me to create several VLANS to better segment our network and improve our security.

 

My question is:

 

Can i add VLAN Sub interfaces to our, currently in production, VLANless physical interface without consequences or should i create a new interface for the previous physical interface (for example as VLAN 1 or native) beside the new ones with the issues this will bring (DHCP among others)?

 

Thank in advance

    3 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 5, 2018

    I think I answered to your question on a different thread. Please avoid cross-threads for the same issue.

    hgg
    hggAuthor
    New Member
    June 7, 2018

    Hi Toshi

     

    I ask you to forgiveme .

     

    It is not quite the same question, this question is about leave everything as it is and add VLAN interfaces over my current interface.  The other question was about move a physical interface to a VLAN interface in a manner that do not require to rebuild everything.

     

    Thanks for your comprension.

    ericli_FTNT
    Staff
    ericli_FTNT
    Staff
    June 6, 2018

    Definitely you can but I'm wondering how did you configure the other end? If it's another Fortigate, it should be ok. If it's a switch, trunk or access mode?

    hgg
    hggAuthor
    New Member
    June 9, 2018

    All my network runs in the native (VLAN 1) VLAN in switchs HP.  This is something i need to change but i am affraid to do it over a production network with a bunch of devices.  I need that everything keep working while i'm implementing the VLANs.

     

    This is the info you needed?

    ericli_FTNT
    Staff
    ericli_FTNT
    Staff
    June 11, 2018

    Thanks for reply!

     

    I understand all your network is running within native vlan. But if you need to create a new vlan interface, you need to make sure the port on your HP switch can accept it's vlanid. therefore, it should be in trunking mode.

    sw2090
    SuperUser
    sw2090
    SuperUser
    June 6, 2018

    Generally its not a good idea to use vid 1 because on many managaeable switches this is the default vid and might screw your networking in consequence.

    So better use something else on your FGT to create virtual vlan interfaces. Then they will not interfere with your productive networking so far. You will of course need policies on your FGT for your vlans and you will have to do Port-Vlan-Setup on your switches to distribute your vlans further.

    Vlan interfaces on a FGT are btw always untagged in that vlans - i.e. packets that go out via the vlan interface will be tagged with its vid by the FGT even if they are already tagged. On most Switches you can choose if you want the port tagged/untagged or more options.

    hgg
    hggAuthor
    New Member
    June 7, 2018

    Thanks sw2090

     

    But i have a question.

     

    When you say "So better use something else on your FGT to create virtual vlan interfaces.", what do you mean?

     

    My problem is i have a lot of devices i need to move to the VLANS without thenm stop working, so they will stay in the current VLAN until i move them in an orderly fashion to their proper VLANs.

     

    I have a physical interface where all my network arrives right now, what worries me is that in a Cisco enviroment the root interface can not have IP address, only the sub interfaces. What i understand from your answer and from others who answered this post is that i can create a VLAN Interface over this physical interface, assign it IP address and everything will work as if nothing has happened. My physical interface and the new VLAN interface both with IP Addresses will work seamessly, Am i right?

     

    Terms & ConditionsAccessibility statement