Skip to main content
fabiao
fabiao
New Member
November 12, 2015
Question

Example on creating the same VLAN ID on two physical interfaces

  • November 12, 2015
  • 1 reply
  • 18941 views
Hello,

 

Sorry if this is a FAQ, but I couldn't find any examples on this.

 

On FortiOS Cookbook 5.0, page 1539, we can read:

 

"Creating VLAN subinterfaces with the same VLAN ID does not create any internal connection between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on port2 are allowed, but they are not connected. Their relationship is the same as between any two FortiGate network interfaces. "

 

OK, so I have VLAN 50 on physical port 1, connected to switch A. I'm migrating all VLAN's (including VLAN 50) to switch B, connected to Fortigate physical port 2. At this time, I need VLAN 50 to be defined on physical port 1 AND physical port 2.

 

Can I do something like this ?

 

config system interface

    edit "VLAN.50.port.1"

        set vdom "root"

        set ip 172.20.2.1 255.255.255.0

        set allowaccess ping

        set interface "port1"

        set vlanid 50

    next

    edit "VLAN.50.port.2"

        set vdom "root"

        set ip ?????????????

        set allowaccess ping

        set interface "port2"

        set vlanid 50

    next

 

If I can, what IP address I must use on "????????". I thought about using 172.20.2.1, but it doesn't seem right. After all, the network gateway is on port1.

 

I understand that after I do this I'll have to create something like this:

 

config firewall policy

    edit 195

        set srcintf "VLAN.50.port.1"

        set dstintf "VLAN.50.port.2"

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "all"

        set logtraffic disable

    next

 

and vice-versa.

 

Well, thanks a lot for any info.

 

Fábio.

    1 reply

    pcraponi
    pcraponi
    New Member
    November 12, 2015

    You need create a hardware/software switch to do this...

     

    On normal interface you will need add IP address on both.

    emnoc
    emnoc
    New Member
    November 12, 2015

    Do you want both vlan-id on the same subnet network ( not possible address overlap ) ? Or different networks address? And why do you need to migrate the vlan-id 50 from port1 to port2?

     

     

    FWIW

     

    if it's because the port is a 10/100  only, and you want to use a 10/100/1000 or acceleration concerns,  than I would build the 2nd vlan on  the 10/100/1000 speed, set a bogus layer3 address, place both ports into the "zone" and then when you are ready to activate port#2, just re-ip_address the 2nd port with the correct  l3 address and removing the old port#1 l3 address.

     

    I did this on a engage me a few month back and it worked great,  except you have to rebuild all fw-policies when you define the zone.

     

    fabiao
    fabiaoAuthor
    New Member
    November 12, 2015

    Hi,

     

    emnoc wrote:

    Do you want both vlan-id on the same subnet network ( not possible address overlap ) ? Or different networks address? And why do you need to migrate the vlan-id 50 from port1 to port2? 

    I prefer the former (no address overlap). But the latter is acceptable :).

     

    I need to migrate the VLAN (in fact, all of them) because I have a new core switch. The plan is to slowly transfer all the traffic from the old switch to the new one, one physical interface at a time (I work in a hospital; full network stop is almost impossible). It will be a time that the unit will have traffic from all VLAN's on both ports.

     

    I'm talking about a 120 switches and 50 VLAN's. We don't know a better way to do it :).

     

    Thanks !

     

    Terms & ConditionsAccessibility statement