FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes some limitations that should be considered when implementing/creating VLANs on the FortiGate. More specifically, the available range of VLAN IDs for a VLAN sub-interface can be limited depending on the parent interface that is selected.
Scope
FortiGate, VLANs.
Solution
For reference, the total range of VLAN IDs is from 0 to 4095. However, when setting VLAN IDs on a FortiGate interface (such as creating a VLAN sub-interface or VLAN Switch), there are some limitations to be aware of:
VLAN ID 0 is generally reserved and cannot be assigned to VLAN sub-interfaces.
VLAN Switches technically have VLAN 0 assigned by default, but this is somewhat misleading. If client traffic arrives on a VLAN Switch with VLAN 0 and is then sent out of an Ethernet Trunk interface on the FortiGate, then the traffic egressing the Ethernet Trunk interface will be untagged (i.e., no VLAN tag).
Note:VLAN ID 0 is not used for network segmentation but mainly used for qos tagging.
VLAN ID 1 cannot be assigned to a VLAN sub-interface if the parent interface is used for FortiLink (i.e., used for FortiSwitch management). It also cannot be assigned to a VLAN Switch interface.
This is because Managed FortiSwitches use VLAN 1 as the default VLAN. However, VLAN 1 may be used for VLAN sub-interfaces attached to non-FortiLink interfaces (such as physical interfaces, Hardware Switches, etc).
Additionally, take note that VLAN 1 is often used as a default native VLAN for other Layer 2 network devices (such as the FortiSwitch). Sending traffic tagged for VLAN 1 to switchports that have a native/access VLAN ID of 1 can result in traffic not flowing correctly. It may be generally wise to avoid using VLAN ID 1 to avoid issues caused by default settings.
Notably, VLAN Switches have a limited range of available VLAN IDs and can only be assigned VLAN IDs 2 through 3000.
VLAN IDs 4088 through 4093 also cannot be used for VLANs associated with FortiLink interfaces (at least by default) since they are used as part of the default template of FortiLink VLANs.
VLAN ID 4094 can technically be assigned to a VLAN sub-interface, but note that this VLAN is used for the switch-controller-mgmt-vlan setting on the network interface (See also: FortiLink Guide - VLAN Interface Templates).
VLAN ID 4095 is also generally reserved and may not be assigned to a FortiGate interface.
To troubleshoot issues related to VLAN ID misconfigurations, try using tools on the FortiGate, such as the Packet Sniffer and Debug Flow, to check for incoming/outgoing packets. In particular, keep an eye out for cases where traffic egresses as tagged traffic and yet returns as untagged or differently-tagged traffic:
