Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎08-25-2009 03:06 AM Edited on ‎12-27-2024 07:19 AM By Community Manager

Article Id 193893

Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traffic

Description

 
This article describes the steps to create a VLAN interface (802.1q tag) on a FortiGate.

Scope
 
Any FortiGate.


Solution

 
Note about traffic tagging:
A VLAN interface is attached to a physical interface. 
When the FortiGate sends out traffic to the physical interface level, the egress packets are untagged, whereas the packets sent on a VLAN level are tagged.
 
If on a particular VLAN there are destination devices in the network that do not accept tagged packets, it will be required to connect the FortiGate to an intermediate L2 unit (a switch for example) configured with the same VLAN(s).

Below is an example structure with a FortiGate with VLAN id 1 attached to port1:
 
[ FortiGate ]  ---- port1 ----->  untagged packets
                    ----VLAN1 (on port1) ----->  tagged packets
 
Configuration steps to add the VLAN 100 to the physical interface port1 through both the CLI and GUI are provided in this article. The VLAN will be named My_VLAN_100.
 
Notes:
 
  • Once created, this interface is subject to the same rules as physical interfaces. Firewall Policies must be defined to allow/deny traffic to/from this interface, and other common objects like Firewall Address can be assigned to it.
  • The physical interface on which a VLAN is attached does not require any IP address settings.

     

  • The physical interface on which the VLAN is attached will share the bandwidth with all the VLANs attached in the physical interface.

  • The VLAN ID range is from 1 to 4094. VLAN ID of 0 is reserved for high-priority frames, and 4095 is reserved.

 
Configuration steps from the GUI:

  1. Go to System -> Network and select 'Create New' -> 'Interface'.

AlexCFTNT_0-1671696297386.png

 

  1. Give a Name to the VLAN interface.

 

  1. Choose the physical interface on which to attach the VLAN.

 

  1. Give the desired VLAN ID. All other fields depend on individual requirements, such as IP address and ping server.

 

  1. After completing the above steps, select 'Ok' to save the new VLAN interface.

 

AlexCFTNT_2-1671696559984.png

 

To verify, check the interface in System -> Network -> Interfaces, by expanding the physical port. There, the new VLAN should be displayed:

 

AlexCFTNT_3-1671696701797.png


Configuration steps in the CLI for the above VLAN:

 

config system interface
    edit "My_VLAN_100"
        set vdom root
        set ip 192.168.100.1/24
        set interface internal1
        set vlanid 100
    next
end

 

Related articles:

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces

Technical Tip: rules about VLAN configuration and VDOM interface assignment

 

Related video:

https://www.youtube.com/watch?v=ConTgNK2SbQ

Labels:
230559
Suggest New Article
Article Feedback
Comments
crao
Staff
Staff
‎02-27-2023 07:46 PM

Thanks for documenting.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.