Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff
Staff

Created on ‎03-22-2023 01:33 AM Edited on ‎10-30-2024 12:57 AM By Community Manager

Article Id 249878

Technical Tip: 802.1ad QinQ real world scenario

Description

 

This article describes how to implement 802.1AD QinQ, and how to span the inner (Customer) VLAN across two physical interfaces for connectivity between the LAN and the remote site.

 

This is the topology used:

 

topology-8021ad.png

 

Scope

 

FortiGate.

 

Solution

 

S1 is a switch with an SVI on Vlan10 and IP 192.168.10.1/24, this will simulate one client at site 1.

S2 is the same but at site 2. 

 

PS 1 and 2 are the Provider Switches interconnecting both sites.

 

The configuration shown below will be the same for both FortiGate appliances.

 

The first step at the FortiGate is to create the 802.1ad Vlan:

 

config system interface

    edit "service-vlan"

        set vdom "root"

        set vlan-protocol 8021ad

        set device-identification enable

        set role undefined

        set snmp-index 9

        set interface "port3"

        set vlanid 3221

    next

 

Next, Vlan10 using 'service-vlan' will be created as the 'parent' interface, this will be the inner tag, also referred to as the Customer tag:

 

    edit "vlan10-service"

        set vdom "root"

        set device-identification enable

        set role undefined

        set snmp-index 10

        set interface "service-vlan"

        set vlanid 10

    next

 

Create another VLAN with the same tag, but a different name, this will be the Vlan10 facing your LAN:

 

    edit "vlan10-lan"

        set vdom "root"

        set device-identification enable

        set role undefined

        set snmp-index 11

        set interface "port2"

        set vlanid 10

    next

end

 

Create a software switch that will bind both vlan10 together, this will make traffic between both logical VLAN interfaces possible. For this to be accomplished there should be no references on the configuration for these VLAN objects, that is why the role was set to undefined because some FortiOS versions automatically configure address objects if the role is set to LAN:

 

config system switch-interface

    edit "sw100"

        set vdom "root"

        set member "vlan10-service" "vlan10-lan"

    next

end

 

If it is wanted to have an IP on this VLAN, it is needed to specify it on the switch interface:

 

config system interface

    edit "sw100"

        set vdom "root"

        set type switch

        set IP <your IP>

        set snmp-index 12

    next

 

Configuration is now done, and it should be able to have connectivity between S1 and S2.

 

Here is a packet capture at FortiGate1 port2 where the traffic is arriving with the usual 802.1q tag:

 

8021q packet int port2.png

 

And a packet capture on port3 where the traffic has the outer 802.1ad tag, and the inner 802.1q tag:

 

8021AD port3.png

 

This is what the configuration looks like from the GUI:

 

GUI.png

 

Related document:

QinQ 802.1Q in 802.1ad

3219
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.