Skip to main content
BusinessUser
BusinessUser
Explorer
December 9, 2023
Solved

Firewall "Software switch "with IP address config only

  • December 9, 2023
  • 1 reply
  • 2307 views

I assume that the layer3 interface is tagged with vlan 1?

 

What happens if I put an access vlan on a another switch port that is connected to this firewall port?

Best answer by Toshi_Esumi

No. With all FGTs, all physical and parent interfaces are NOT tagged and no association to any VLANs configured in the unit. And VLAN ID 1 is reserved. See below KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111

If you configured an "access port" on a switch, packets coming out/in are non-tagged. So only those non-VLAN/parent interfaces can communicate with.

 

Toshi

1 reply

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
December 9, 2023

No. With all FGTs, all physical and parent interfaces are NOT tagged and no association to any VLANs configured in the unit. And VLAN ID 1 is reserved. See below KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111

If you configured an "access port" on a switch, packets coming out/in are non-tagged. So only those non-VLAN/parent interfaces can communicate with.

 

Toshi

    BusinessUser
    BusinessUserAuthor
    Explorer
    December 11, 2023

    So the fortigate firewall have layer 3 ip.

    I can only use dumb layer 2 switch to connect to it?

    How about switchport mode access, switchport access vlan 1? 

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 11, 2023

    You can connect L3 switch as well, of course. Just avoid IP conflict. In that case, both are routers.

    FGTs basically don't have concept of SVI except the virtual VLAN switch interface, which can have a native VLAN interface for most of "F"-series FGTs. Also they don't have concept of "switchport mode access" because it's not a switch or switch-router. It's similar to old Cisco routers like 26xx, 19xx, etc. You can stack vlan on the physical port but no SVI.

    "software switch" interface is the same. You can configure a soft-switch including muitiple physical interface as well as wifi(SSID) interfaces to have one IP/IP subnet. But it's not tagged. And again, you can stack up mutiple VLANs on it.

     

    Toshi

      Terms & ConditionsAccessibility statement