• The ISP, connected to port1 of the FortiSwitch, forwards S-VLAN 2540 and C-VLAN 1501.
• A server is connected to port49 and sends traffic tagged with VLAN 1501.
• The requirement is to tunnel VLAN 1501 inside VLAN 2540 for traffic sent towards the ISP.

Configuration on FortiSwitch:

config switch interface
    edit "port1"
        set description "ISP-port"
        set allowed-vlans 2540
    next
        edit "port49"
            set description "server-port"       <----- Configure Q-in-Q on the server-facing port.
            set native-vlan 2540
                config qnq
                    set status enable
                        config vlan-mapping
                            edit 1
                                set match-c-vlan 1501
                                    set new-s-vlan 2540
                                next
                            end
                        end
                    next
                end

Explanation:

• port1 (uplink to ISP): Accepts traffic on VLAN 2540.
• port49 (server-facing): Configured with Q-in-Q enabled to encapsulate customer VLAN 1501 traffic inside service VLAN 2540.
• This configuration ensures that traffic from the server, tagged with VLAN 1501, is encapsulated within VLAN 2540 before being forwarded to the ISP.

Important Note:

Not all FortiSwitches support QinQ. Refer to: Feature-matrix, search 'VLAN stacking (QinQ)'.