Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Staff
Staff

Created on ‎03-04-2025 05:22 AM

Article Id 380256

Troubleshooting Tip: Change FortiLink management vlan from 4094 to customized management VLAN

Description This article describes the process and behavior of managed FortiSwitches when the FortiLink management VLAN is changed from the default VLAN 4094 to a customized VLAN.
Scope Managed FortiSwitches and FortiGate version 7.2.x and above.
Solution

By default, Fortilink Management VLAN is 4094, but in case it needs to be changed, refer to the below link:

Optional FortiLink configuration required before discovering and authorizing FortiSwitch units

 

On FortiGate CLI:

 

config system interface

    edit <fortilink interface>

        set fortilink enable

       set switch-controller-mgmt-vlan <integer>   --> For example vlan 299.

  next

end

 

When the above change is made, FortiGate will push VLAN 299 as a FortiLink VLAN to the Managed FortiSwitches. Verify using the below command on FortiSwitch CLI:

 

FortiSwitch# show switch auto-network
config switch auto-network
    set mgmt-vlan 299    --> Changed to 299 from default 4094.
end

 

FortiSwitch# show switch interface internal
config switch interface
    edit "internal"
        set native-vlan 299    --> Changed to 299 from default 4094.
        set stp-state disabled
        set snmp-index 29
    next
end

 

By default, on the FortiSwitch, MSTP instance, ID 15 is for Native VLAN 4094. Verify by using the below command on the FortiSwitch:

 

FortiSwitch#diagnose stp instance list

.

.

Instance ID 15
Config Priority 20480 , VLANs 4094

 

FortiSwitch# sh switch stp instance 15
config switch stp instance
    edit "15"
    .

    .

        set vlan-range 4094
end

 

Now, since the management VLAN is changed to 299, FortiSwitch will automatically change the configuration from VLAN 4094 to VLAN 299 on all respective configurations:

For example:

 

FortiSwitch# sh switch stp instance 15
config switch stp instance
    edit "15"
    .

    .

        set vlan-range 299
end

 

User Impact in case the VLAN on the STP instance 15 is not changed to 299: Clients connected to FortiSwitches (except the core switch) will not get an IP address from the user VLAN that has 'Block intra-VLAN traffic' enabled.

 

Workaround: Disable 'Block intra-VLAN traffic' on the user VLAN OR configure a custom command on the FortiGate to map VLAN 299 to STP instance ID 15 and then push the custom command to the FortiSwitches.

 

FortiGate# config switch-controller custom-command
    edit "stp"
        set command "config switch stp instance %0a edit 15 %0a set vlan-range 299 %0a next %0a end      %0a"
    next
end

 

FortiGate#config switch-controller managed-switch
    edit <FSW name>

        config custom-command
            edit "1"
                set command-name "stp"
        end
end

 

Related articles:

Technical Tip: FortiSwitch Auto-Discovery and Authorization

Technical Tip: Managed FortiSwitch default configuration of inter switch link fortilink trunk, mclag... 

 

446
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.