Using FortiGate for q-in-q interfaces

Forum|Forum|9 years ago
April 3, 2017
2 replies
13481 views

Does anyone know if there are plans for the FortiGate to support q-in-q like in a Cisco it would have the following

interface GigabitEthernet0/1 dot1q tunneling ethertype 0x88A8

and then on the sub-interface

interface GigabitEthernet0/1.101 encapsulation dot1Q 101 second-dot1q 244

ip address <some IP>

Thanks in advance.

Kenneth

emnoc

New Member

Not doable on a FGT, if you have a need for double tag, you need to install a QinQ switch b4 the FGT.

kliewAuthor

New Member

Do you think there's a chance to request a NFR (New Feature Request) for this or perhaps you might know if Fortinet has some strong design philosophy not to ever implement it ?

emnoc

New Member

Send one up, worst case denied or maybe if they get a few ( NFRs) they might act upon it.

AFAIK, no modern firewall uses QnQ interfaces outside of a SRX. I would think FTNT would deploy MPLS 1st b4 getting to QnQ but who knows.

But than again Juniper is always light-years ahead in regards to these areas.

;)

kliewAuthor

New Member

Yeah it would be nice if people reading this can spread the word to get as many request as possible for this NFR...

emnoc

New Member

I never used QinQ dual-tag on a layer3 interface personally outside of ASR9K but i see this being issues if you wanted to inspect and filter traffic in a layer2 hand-off like from a metroE provider and need to selectively inspect outertag(SPtag) + innerTag(clientTag) for certain traffic

Typically double-tag are terminated at a barrier device and inspection takes places south of that termination on a single tag.

Not even sure if a JuniperSRX could do just that but that could be a feature useful for somebody ;)

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded