Sometimes, it is necessary to change the tag of the VLAN received and forward it to its destination with a different tag. Both of the end clients must share the same network.

• FortiGate connected on port23 on FortiSwitch. 
• Hypervisor connected on port11 on FortiSwitch.
  

In this example, traffic will be generated by two VM machines having the IP addresses 10.1.10.100 and 10.1.10.101 in 255.255.255.0. 

The VM will send the traffic tagged with VLAN 2010 as shown in the setup above.

In this example, the FortiGate interface has the IP 10.1.10.1/24. FortiGate does not have PVLAN 2010 and will receive packets tagged with VLAN 10 only. 

The goal of this setup is to change the VLAN tag from 2010 to 10 to prevent packet discarding from occurring on the FortiGate interface. 

Configuration on FortiSwitch.

config switch interface 

edit "port23" 

set native-vlan 200 

set allowed-vlans 10,2010 

next 

end 

config switch interface 

edit "port11" 

set allowed-vlans 10,2010 

next 

end 

config switch acl ingress 

edit 1 

set group 2 

set ingress-interface "port11" 

config classifier 

set vlan-id 2010 

end 

config action 

set count enable 

set outer-vlan-tag 10 

end 

next 

edit 2 

set group 2 

set ingress-interface "port23" 

config classifier 

set vlan-id 10 

end 

config action 

set count enable 

set outer-vlan-tag 2010 

end 

next 

end 

See Configuring an ACL policy in the administration guide for ACL commands.