Skip to main content
Tutek_OLD
Tutek_OLD
New Member
September 24, 2020
Solved

One Vlan on multiple ethernet interfaces

  • September 24, 2020
  • 3 replies
  • 55214 views

Hi,

it is possible on Fortigate 100F to have one vlan configured on multiple ports?

Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?

 

thanks

    Best answer by Benoit_Rech_FTNT

    Hello Wojtek,

    you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'

    See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

    Best regards, Benoit

    3 replies

    lobstercreed
    lobstercreed
    New Member
    September 24, 2020

    No, a VLAN interface is a sub-interface on a FortiGate (a tagged VLAN on a trunk port in switching parlance). 

     

    You *could* set up a switch on the FortiGate so that more than one physical port shared the same "interface" but you wouldn't be able to tag VLANs on those ports.  You'd have to connect it to a switch on an untagged VLAN to maybe kind of achieve what you're looking for, at which point why not just use a switch to begin with.  Tag the VLAN going to the FortiGate and set untagged VLANs on the other ports you need instead of using the FortiGate for them.

    Tutek_OLD
    Tutek_OLDAuthor
    New Member
    September 24, 2020

    So how can I create setup like this:

    I have lan port1 and DMZ port, and one MGMT vlan subnet (tagged), how to have the same MGMT subnet vlan on lan and DMZ?

    On other routers I can bridge MGMT vlan with DMZ port and this is working, how about Fortigate?

    Benoit_Rech_FTNT
    Staff
    Benoit_Rech_FTNTAnswer
    Staff
    September 24, 2020

    Hello Wojtek,

    you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'

    See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

    Best regards, Benoit

    vietleanz_FTNT
    Staff
    vietleanz_FTNT
    Staff
    April 29, 2022

    It may be late for you but for other viewers. FortiGate 100F supports virtual-switch-vlan 

    config system global
    set virtual-switch-vlan enable
    end

    Then you can create a new virtual-switch, add port1, port2 and set vlan id to this vswitch

    config system virtual-switch
    edit "VLAN SW"
    set physical-switch "sw0"
    set vlan 5
    config port
    edit "port1"
    next
    edit "port2"
    next
    end
    next
    end

    That way port1 and port2 shared the same vlan 5. But note that traffic that leaves port1 and port2 not tagged.

    Another port, .e.g port3 can be configured as a trunk port and connects to a trunk port on an external switch.

    config system interface
    edit port3
    set trunk enable
    next
    end
    end

    Traffic from "VLAN SW" on trunk port3 will be tag vlan #5 toward external switch.

    Hope this is what you need.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 30, 2022

    Could you explain how this "virtual-switch-vlan" is different from VLAN subinterface on a hard-switch like below without enabling this feature?

    config system virtual-switch

      edit "VLAN-SW"
        set physical-switch "sw0"

        config port
          edit "port1"
          next
          edit "port2"
          next
       end
      next
    end

     

    config system interface

      edit vlan5

        set vdom "root"

        set interface "VLAN-SW"

        set vlanid 5

      next

    end

     

    Toshi

    vietleanz_FTNT
    Staff
    vietleanz_FTNT
    Staff
    May 1, 2022

    Hi Toshi

     

    For the FGT that supports vlan switch, you need to enable "virtual-switch-vlan" so the config you referenced will work, provided that you need to set trunk on port1 and port2.

     

    The document says 'set trunk enable' is optional but I see it requires for the subinterface to work.

     

    For the model that doesn't support vlan switch, your config will work anyway.

     

    It's very confusing for me too, so I edited the previous reply. It may require some labs for specific use cases.

     

    Cheers.

    Viet

    sw2090
    SuperUser
    sw2090
    SuperUser
    May 3, 2022

    I currently cannot see the use in this. For what do I configure a vlan switch with vid if  it then does not tag the traffic? Then creating a Trunk in my opinion would render the switch useless because the ports are trunked (i.e. they behave like one Port and not a "port replicator" aka switch). So for what would that be good? Can anyone explain that to me?

    Since that is completely opositing things I don't really wonder about that leading to a  kernel crash upon upgrading...

     

    Terms & ConditionsAccessibility statement