FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 210153


This article describes that documentation on this topic is quite scarce and many times there is nothing to start with.

Most questions refer to: what type of switch to use in my topology? How to allow more VLANs on a switch, does it need a trunk port?

This article is not comprehensive, not a complete guide, but is a start(stub) with some information and examples - hoping it will grow in time to a more accurate description. 




Familiarizing with the VLAN traffic and the types of switches available on FortiGates, and their capabilities.




VLAN ID tags consist of a 4-byte frame extension that switches and routers apply to every packet sent and received in the VLAN.

Workstations and desktop computers, which are commonly originators or destinations of network traffic, are not an active part of the VLAN process.

All the VLAN tagging and tag removal is done AFTER the packet has left the computer.

This is important to note if a user plans to mix in a switch construct multiple ports (some that lead to hosts, and others that lead to switches).
Not a recommended setup, as all acess ports should generally be on the access switches, not on the firewall directly - to allow for redundancy and scalability.


On a Layer-2 switch, you can have only one VLAN subinterface per physical interface, unless that interface is configured as a trunk link. 

Trunk links can transport traffic for multiple VLANs to other parts of the network (all VLANs, or specified VLANs).



On a FortiGate, it is possible to add (specify/allow) multiple VLANs to the same physical interface.
However, VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID or have IP addresses on the same subnet. 

It is possible to add VLAN subinterfaces with the same VLAN ID to different physical interfaces.




Creating VLAN subinterfaces with the same VLAN ID does not create any internal connection between them! (It is not question about switches yet, only regular interfaces/subinterfaces!)
For example, a VLAN ID of 5 on port2 and VLAN ID of 5 on port3 are allowed, but there are not connected just by defining the same VLAN ID. 

Their relationship is the same as between any two FortiGate network interfaces (needing policies to allow traffic).


FortiGate unit interfaces cannot have overlapping IP addresses, the IP addresses of all interfaces must be on different subnets.

This rule applies to both physical interfaces and to virtual interfaces such as VLAN subinterfaces.


Each VLAN subinterface must be configured with its own IP address and netmask. This rule helps prevent a broadcast storm or other similar network problems.


In the above image, once port1 has subinterface 'Vlan5' set up with IP, the subinterface 'Vlan5a' defined on port2, can't have the IP (or any IP in the same subnet).

But it can be left undefined ( ).

For routing, the traffic takes the connected route over 'Vlan5' only, so it is maybe necessary to add policy routes to send traffic to specific IP over 'Vlan5a' interface. 


The FortiGate unit will tag packets leaving from a VLAN subinterface.
It will also remove VLAN tags from incoming packets and add a different VLAN tag to outgoing packets.


How does an interface process traffic when a VLAN subinterface is defined?




In this case, it is possible to compare the interface PORT1 defined on FortiGate with a trunk port with only certain allowed VLANs (in this case: no tag, Vlan5, Vlan10).

It is understandable why the traffic received from Vlan1 tag is not reaching the FortiGate (valid if the switch enforces Vlan1 tag to all untagged traffic). 



Switches (Software / Hardware / VLAN).


Expanding on the above, more such ports can be added to a FortiGate switch.

All ports are basically 'trunk' ports, carrying all VLANs.

It will process untagged frames according to the rules configured for that physical interface, and it will process tagged frames according to the rules configured for the matching VLAN sub-interface on the receiving physical interface.


Starting sample topology (do not mind the interfaces being down).

It is possible to see 'HW Switchw' which was initially of 'Hardware Switch' type is now showing as 'VLAN Switch' after enabling 'VLAN Switch':





And surely, these switches also have individual entries under '# config system interface':




What can each one do?
As the more flexible one, Software-switch has a few extra options (in red) that can be configured:




Otherwise, the behavior is quite similar:




This means that the packets leaving the 'SW Switch' interface not for the vlan25 subnet will not be tagged.

However, unlike the other types, the Software switch can accept tagging over individual ports. In this example meaning that only port5 can carry/receive traffic from Vlan21 subnet:




Another common question: is that possible to have a VLAN on multiple ports? Yes, butthere they are not related, and need policies to communicate.

Also, no IP overlap is allowed, so only one interface can have an IP defined in that specific subnet:







Software switch is more versatile, but comes at the expense of CPU usage, as opposed to the other types of switches.

This may not be noticeable in small units, therefore the decision may be taken based on the connections to the LAN switch, and its capabilities.




Related articles:
Technical Tip : What is and how to enable VLAN Switch on FortiGate
Setup comparison between FortiGate Hardware switch, Software switch, VLAN switch
Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traff...