For reference, the total range of VLAN IDs is from 0 to 4095. However, when setting VLAN IDs on a FortiGate interface (such as creating a VLAN sub-interface or configuring the native VLAN of a VLAN Switch), there are some limitations to be aware of:

• VLAN ID 0 is generally reserved and cannot be assigned to VLAN sub-interfaces.
  • VLAN Switches technically have VLAN 0 configured by default, but this is somewhat misleading. If client traffic arrives on a VLAN Switch with VLAN 0 and is then sent out of an Ethernet Trunk interface on the FortiGate, then the traffic egressing the Ethernet Trunk interface will be untagged (i.e., no VLAN tag).
  • In general, VLAN ID 0 is not used for network segmentation, but some vendors use it to support 802.1p COS tagging for traffic that would otherwise not have an 802.1q tag. For an example see third-party documentation Cisco Industrial Ethernet 2000 Series | VLAN 0 priority tagging support. In earlier FortiOS versions, a FortiGate receiving a frame with VLAN ID set to zero on any interface would drop it. Devices running FortiOS v7.0.2 and later process such frames by removing the 802.1Q tag and receiving the resulting frame on the native VLAN of the interface.

• VLAN ID 1 cannot be assigned to a VLAN sub-interface if the parent interface is used for FortiLink (i.e., used for FortiSwitch management). It also cannot be assigned to a VLAN Switch interface.
  • This is because Managed FortiSwitches use VLAN 1 as the default VLAN. However, VLAN 1 may be used for VLAN sub-interfaces attached to non-FortiLink interfaces (such as physical interfaces, Hardware Switches, etc).
  • Additionally, VLAN 1 is often used as a default native VLAN for other Layer 2 network devices (such as the FortiSwitch). Sending traffic tagged for VLAN 1 to switchports that have a native/access VLAN ID of 1 can result in traffic not flowing correctly. It may be generally wise to avoid using VLAN ID 1 to avoid issues caused by default settings.
  • Notably, VLAN Switches have a limited range of available VLAN IDs and can only be assigned VLAN IDs 2 through 3000.
• VLAN IDs 4088 through 4093 also cannot be used for news VLANs associated with FortiLink interfaces (at least by default) since these are already assigned to VLANs created automatically for FortiLink-enabled interfaces.
  
  

config switch-controller initial-config template

edit "_default"

set vlanid 1

next

edit "quarantine"

set vlanid 4093

set dhcp-server enable

next

edit "rspan"

set vlanid 4092

set dhcp-server enable

next

edit "voice"

set vlanid 4091

next

edit "video"

set vlanid 4090

next

edit "onboarding"

set vlanid 4089

next

edit "nac_segment"

set vlanid 4088

set dhcp-server enable

next

end

If needed, automatic VLAN creation can be disabled in FortiOS v7.6.3 and later, see FortiOS New Features Guide | Prevent automatically created VLANs. Disabling this setting does not affect existing FortiLink configurations.

• VLAN ID 4094 can technically be assigned to a VLAN sub-interface, but this VLAN is used for the switch-controller-mgmt-vlan setting on the network interface (See also: FortiLink Guide - VLAN Interface Templates).
• VLAN ID 4095 is also generally reserved and may not be assigned to a FortiGate interface.

To troubleshoot issues related to VLAN ID misconfigurations, try using tools on the FortiGate, such as the packet sniffer and debug flow, to check for incoming/outgoing packets:

• FortiGate Admin Guide - Debugging the packet flow
• FortiGate Admin Guide - Using the packet capture tool
• Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets