Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yloo
Staff
Staff

Created on ‎11-26-2025 12:52 AM Edited on ‎11-26-2025 05:06 AM By Community Manager

Article Id 420495

Technical Tip: VLAN 1 Sub-Interface is not working over a Trunk Link

Description This article describes an issue where a FortiGate sub-interface configured with VLAN 1 does not receive traffic.
Scope FortiGate, Third-party switch.
Solution

The issue occurs because most switches treat VLAN 1 as the native (untagged) VLAN on trunk links.
FortiGate, however, requires VLAN 1 traffic to be tagged on its sub-interface, and untagged traffic will be sent or received on the physical interface.


This mismatch prevents traffic from reaching the FortiGate unless the switch configuration is adjusted.

To resolve the issue, change the native VLAN on the switch to a dummy VLAN (for example, VLAN 999), which is a VLAN not used anywhere else in the network.
This ensures VLAN 1 traffic is sent as tagged across the trunk.

 

SW1#configure terminal

SW1(config)#interface gi0/1

SW1(config-if)#switchport mode trunk

SW1(config-if)#switchport trunk native vlan 999

SW1(config-if)#switchport trunk allowed vlan 1,10,20

 

Reference: FortiGate requires all VLAN sub-interfaces—including VLAN 1—to receive 802.1Q-tagged frames for proper operation.
146
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.