Technical Tip: How to configure a FortiGate for a directly connected Layer-3 Switch handling VLANs and Inter-VLAN routing

1. VLAN Configuration: A Layer-3 switch is configured with VLAN 10 and VLAN 30. This example focuses on VLAN 30, but the same steps apply for other VLANs.
2. Trunk Port Configuration: Interface e0/0 on the switch (configured as a trunk port) is directly connected to Port2 on the FortiGate.
3. SVI and VLAN Tagging: VLAN tagging is set up on the switch, and an SVI (Switched Virtual Interface) is created for each VLAN.
4. Inter-VLAN Routing: The switch handles inter-VLAN routing to allow communication between VLANs.
5. Static route on Layer-3 switch: A static route on the switch needs to be created - pointing to 10.10.25.1/24 Port2 on FortiGate acting as a gateway for downstream traffic.
6. Static Route on FortiGate: Configure a static route on FortiGate for VLAN subnets, pointing to the e0/0 IP (10.10.25.2/24) on the switch.
7. Firewall Policy: Set up a firewall policy on FortiGate to allow VLAN traffic to access the internet.
8. VLAN Sub-interfaces on FortiGate: VLAN sub-interfaces are not required on FortiGate for this setup.

Topology:

Configuration:

The following steps focus on the FortiGate configuration only.

Port2 on FortiGate:

Static Route for each VLAN on FortiGate:

Firewall Policy:

Verification:

Once the above configuration is completed, downstream devices should have internet access. Packet capture on FortiGate should demonstrate the downstream VLAN traffic without VLAN tagging reaching FortiGate destined for the internet.

A VLAN tag 802.1Q header is not present in the capture verifies that traffic is reaching FortiGate untagged.