Skip to main content
Sany84
Sany84
New Member
December 3, 2025
Question

Software Switch with VLANs and separate Ports

  • December 3, 2025
  • 4 replies
  • 833 views

Hello,

 

I am new at fortigate, ich have a FortiNet FG100E.

My Setup is:

 

Software Switch (assigned to Port1-4, X1,X2)

->VLAN 5 (802.1Q)

->VLAN 10 (802.1Q)

->VLAN 15 (802.1Q)

->VLAN 20 (802.1Q)

 

In my Aruba Switch can i select a Port to "tagged" or "untagged", now i want to assign on my fortigate only VLAN20 to Port 4-6, and VLAN15 to 7-8. 

 

Can anyone help me to to setup the Ports/VLANs? How do i need to setup?

Can any one help to Setup the VLANs on this Ports? 

4 replies

ebilcari
Staff
ebilcari
Staff
December 3, 2025

Based on the Administration guidea software switch functions like a single interface. It has one IP address, and all the interfaces in the software switch are on the same subnet.

 

I think you should create two separate Software switches and group the respective ports.

Emirjon
funkylicious
SuperUser
funkylicious
SuperUser
December 3, 2025

hi,

if you want only certain ports to assign a specific vlan in your case you would need to create a separate software/hardware/vlan switch with those ports but there's a limitation that you should be aware that the same vlanid can exist on different interfaces under certain conditions : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Hardware-switch-Software-switch-VLAN-switch-Use/ta-p/210153#:~:text=Another%20common%20question%3A%20is%20it%20possible%20to%20have%20a%20VLAN%20configured%20on%20multiple%20ports%3F 

i'm not a big fan of those 'virtual'-switches on FGT and would recommend that you do LAG/port-channel towards the switches instead

"jack of all trades, master of none"
Sany84
Sany84Author
New Member
December 3, 2025

hey, 

 

puh FGT is complicated, the endconfiguration of my networks are 10 VLANs, and my brain is on the limit with the configuration.

 

i need 1 Trunkport (X1, X2) with all VLANs to the Switch, and 4 Ports for VLAN20 , and the other 4 to a VLAN15.

 

My problem now is that the Software Switch with all VLANs on Ports X1 and X2. I configured Port 4-8 with a Software Switch and created the needed VLAN with the ID 20, but it doesn't work, ig got no ip from the dhcp... 

 

my brains stucks a little bit..

funkylicious
SuperUser
funkylicious
SuperUser
December 3, 2025

i would suggest the following:

- delete the software switches

- create port-channel/LAG/LACP with each pair of ports

LAG1: x1+x2 and leave it in trunk on switch side and create subinterfaces/SVI on the FortiGate LACP

LAG2: p1+p2+p3+p4 ( or just 2 ports ) and leave it in access mode and assign an IP on the FGT side ( or you can do them in trunk and assign subinterfaces for other VLANs in the future )

LAG3 similar w/ LAG2

"jack of all trades, master of none"
Sany84
Sany84Author
New Member
December 3, 2025

Hey.. i configured the LAG1, all VLANs over the ARUBA Switch available.

i configured port5 for VLAN16, but my NAS  becomes no IP over the DHCP Server from VLAN16... what's wrong? 

 

 

i tried this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Hardware-switch-Software-switch-VLAN-switch-Use/ta-p/210153#:~:text=Another%20common%20question%3A%20is%20it%20possible%20to%20have%20a%20VLAN%20configured%20on%20multiple%20ports%3F

 

I configured a VLAN-Switch, with VLAN16 and port5, it is the same, i got no ping from the FGT or something, i tried with laptop, but i dont become a ip address from VLAN16.

 

i tried a allow policy from VLAN16a to VLAN16, or LAG01-Aruba, dst=all, src=all, services=all no nat, with no luck.. 

 

 

config system interface     edit "mgmt"         set vdom "root"         set ip 192.168.1.99 255.255.255.0         set allowaccess ping https ssh         set type physical         set dedicated-to management         set role lan         set snmp-index 2     next     edit "wan1"         set vdom "root"         set mode dhcp         set allowaccess ping speed-test         set type physical         set lldp-reception enable         set role wan         set snmp-index 3         config ipv6             set ip6-allowaccess ping         end     next     edit "LAG01-Aruba"         set vdom "root"         set ip 172.16.1.1 255.255.255.0         set allowaccess ping https http         set type aggregate         set member "port15,port16"         set device-identification enable         set lldp-transmission enable         set role lan         set snmp-index 35         set algorithm L3     next      edit "fortilink"         set vdom "root"         set fortilink enable         set ip 10.255.1.1 255.255.255.0         set allowaccess ping fabric         set type aggregate         set lldp-reception enable         set lldp-transmission enable         set snmp-index 28     next      edit "Server VLAN"         set vdom "root"         set ip 172.16.5.254 255.255.255.0         set allowaccess ping radius-acct speed-test         set alias "VLAN5"         set device-identification enable         set role lan         set snmp-index 31         set interface "LAG01-Aruba"         set vlanid 5     next      edit "Camera-Network"         set vdom "root"         set ip 172.16.16.254 255.255.255.0         set allowaccess ping radius-acct speed-test         set alias "VLAN16"         set device-identification enable         set role lan         set snmp-index 32         set interface "LAG01-Aruba"         set vlanid 16     next      edit "VLAN17"         set vdom "root"         set ip 172.16.17.1 255.255.255.0         set allowaccess ping radius-acct speed-test         set alias "Guest-WiFi-Network"         set device-identification enable         set role lan         set snmp-index 33         set interface "LAG01-Aruba"         set vlanid 17     next      edit "IoT-Netzwerk"         set vdom "root"         set ip 172.16.15.254 255.255.255.0         set allowaccess ping speed-test         set alias "VLAN15"         set device-identification enable         set role lan         set snmp-index 29         set interface "LAG01-Aruba"         set vlanid 15     next      edit "VLAN16a"         set vdom "root"         set allowaccess ping         set vlan-protocol 8021ad         set device-identification enable         set role lan         set snmp-index 27         set interface "port5"         set vlanid 16     next

 

 

funkylicious
SuperUser
funkylicious
SuperUser
December 4, 2025

do you have a DHCP server enabled under Camera-Network interface?

in my opinion you are overcomplicating things with whatever setup you are trying to do.

 

the use case in my opinion for doing virtual/software/hardware/vlan switches on the FortiGate is when your infrastructure doesnt have port density or dont have a switch on which you can connect multiple devices.

 

if you really want to bundle and have traffic from Camera-Network and VLAN16a , then make sure neither interface isnt used ( or have configured any IP addresses ) and create a Software Switch with both interfaces ( Camera-Network and VLAN16a ) and on it you assign the IP that you want and DHCP server.

but due take note that port5 is configured/acts as trunk since you defined VLAN16 on a subinterface for it, so whatever you are connecting in it has to tag the traffic with the vlan 16.

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement