FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 275908


This describes how to use Optional VLAN ID in Tunnel type SSID configuration.








When using a Tunnel-Mode SSID, the FortiAP will encapsulate wireless traffic within a CAPWAP tunnel before sending it to the FortiGate WiFi controller for inspection and routing. While configuring a Tunnel type SSID, it gives an option to use an optional VLAN ID.

If there is a VLAN under the tunnel SSID interface, the Optional VLAN ID feature can be used to tag the traffic coming from the client for that specific VLAN.





FortiGate manages the FortiSwitch using FortiLink, FortiAP is connected behind the FortiSwitch, and FortiGate on VLAN 11 ( manages FortiAP (




FortiAP is broadcasting a Tunnel-type wireless SSID with an optional VLAN ID set to 15. On FortiGate, the Tunnel SSID interface has a VLAN ID 15 as shown below:




When the WiFi client connects to the Tunnel SSID, it will send the DHCP Discover packet that will be received by the FortiAP.

FortiAP will add an 802.1Q VLAN tag 15 (Optional VLAN ID) on the packet and encapsulate it in the CAPWAP packet.

FortiSwitch will then receive that CAPWAP packet and it will add the 802.1Q VLAN tag 11 while sending it out to the FortiGate on the FortiLink trunk.




Green represents the original packet sent by the connecting device, Yellow added data by FortiAP and Blue shows the data added by FortiSwitch.

Below is the actual DHCP Discover packet received on the FortiLink interface:




FortiGate’s FortiLink interface receives the CAPWAP packet with DHCP discover UDP IP packet encapsulated in it.

This packet is destined for the FortiGate WiFi Controller that resides on VLAN 11. Now the outermost 802.1Q VLAN tag is for VLAN 11, FortiGate will process it for VLAN 11.


Packet captured on VLAN 11 interface:




VLAN 11 received this packet without an 802.1Q VLAN tag 11, where it will be de-encapsulated and the DHCP Discover message will be sent to the tunnel SSID interface.


Packet captured on SSID Interface:




SSID interface received the DHCP Discover interface with an 802.1Q VLAN tag 15 (Optional VLAN). It will then send this packet to the destination interface VLAN 15.


Packet captured on VLAN 15:




After VLAN 15 receives, the packet it will send a DHCP offer to the client considering the DHCP server is enabled on the interface.


Optional VLAN ID with Tunnel Mode SSIDs allows administrators to bridge the Tunnel-mode wireless SSID with a Software Switch.

This enables wired and wireless users to share a common network segment.