Skip to main content
0
01Gmail
New Member
May 8, 2026
Question

FortiGate 60F Mutlilayer Switching

  • May 8, 2026
  • 3 replies
  • 51 views

I have yet to find a working solution for what seems like a normal networking scenario. Here are the requirements:

ports 1-5:
  port1: access vlan 5 (untagged vlan 5) should share l3 gateway with any hosts connected to trunks
  port2: access vlan 10 (untagged vlan 10) should share l3 gateway with any hosts connected to trunks
  port3: access vlan 15 (untagged vlan 15) should share l3 gateway with any hosts connected to trunks
  port4: trunk all vlans, native vlan 99. non-aggregate
  port5: trunk all vlans, native vlan 99. non-aggregate

l3 interfaces of some kind. cannot be under a physical interface because two trunks must carry vlans:
  vlan5: 10.0.5.1/24
  vlan10: 10.0.10.1/24
  vlan15: 10.0.15.1/24
  vlan99: 10.0.99.1/24 (native)

I’ve read the documentation. I’ve asked open.ai several different times, I’ve had Claude read through multiple FortiOS version documentation. The documentation is not great in this area. So no great that claude cannot figure it out.

I can make something like this work with other vendors.

Connecting the firewall direct connected host to a downstream switch is not an option. They must connect to ‘access’ interfaces on the Fortigate and use the l3 interfaces for a default gateway just as the devices connected to the trunks do.

Current version is 8.0.0, but I can run anything on 7.4.7 in this test environment.

Have I hit a wall? Thanks in advance!

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 8, 2026

You wouldn’t get any good information when you search it online or AI because any FGTs, not only 60F, wouldn’t provide those regular L2 switching features/functions. Only things the 60F’s “VLAN switch” feature does are,
1) you can define a native VLAN on those member ports without tagging.
2) you can define ONLY one “trunk” port amoung them, which carries traffic on ONLY those native VLANs configured on member ports with tags.

So, without a switch it’s impossible to accomplish your goal.

Toshi 

0
01GmailAuthor
New Member
May 9, 2026

-the native vlan is just a vlan/logical interface without a tag, so any untagged is processed by that interface. a logical interface just like the rest of the vlan interfaces.

-i can designate as many trunks as i want. ai also said i could only do one, but that is not the case.
 

 

supercool_sig | Accelerate Vegas 26
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 9, 2026

I don’t know what was added with 8.0. But it seems to be different from 7.4-7.6. So I’ll let somebody else to comment.

Toshi

0
01GmailAuthor
New Member
May 9, 2026

I just tested on 7.4.7 and multiple trunks can be configured. I doubt much has changed in core networking functionality in the last few versions since core networking itself hasn’t changed much in general. 

supercool_sig | Accelerate Vegas 26
Terms & ConditionsAccessibility statement