Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Difference between native VLAN and Untagged VLAN list

Hello,

 

In the standalone Fortiswitch, we can configure the following VLAN settings in a port: Native VLAN, Allowed VLAN list and Untagged VLAN list. This configuration is available only in the standalone switch; when the switch is managed by a FortiGate, the only settings available are the Native VLAN and the Allowed VLAN list.

 

Can somebody explain to me why should someone need to set the Untagged VLAN list? It seems to me that the Native VLAN alone should be sufficient. What additional functionality does the Untagged VLAN list provides to the port consifuration, that is not covered by the Native VLAN?

 

Thanks

1 Solution
emnoc
Esteemed Contributor III

Maybe you need to untag vlans to send to a non 802.1q device that has a bunch of secondary address on a single interface.

 

I personally have never use it so I can't explain any business case. Do you need that feature is the question you should be asking yourself. What  it does it clear in the supporting documents.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

5 REPLIES 5
emnoc
Esteemed Contributor III

Did you read the docs https://docs.fortinet.com/document/fortiswitch/6.4.2/administration-guide/146333/vlans-and-vlan-tagg...

 

It explain where and how these apply.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

aagrafi
Contributor II

I have seen this document. But it's not clear to me the difference between the native vlan and the untagged vlan. Can you tell me a use case where the untagged-vlan list is needed?

emnoc
Esteemed Contributor III

Maybe you need to untag vlans to send to a non 802.1q device that has a bunch of secondary address on a single interface.

 

I personally have never use it so I can't explain any business case. Do you need that feature is the question you should be asking yourself. What  it does it clear in the supporting documents.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

aagrafi
Contributor II

Thanks a lot for the answer Ken. Makes sense. To comment on your last statement, in order to answer to myself if I need that feature or not, I need to understand why it is there for :) So far, it seems that using the native VLAN is enough.

rsl
New Contributor

Native VLAN You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming packets. Outgoing packets for the native VLAN are sent as untagged frames. The native VLAN is assigned to any untagged packet arriving at an ingress port. At an egress port, if the packet tag matches the native VLAN, the packet is sent out without the VLAN header.

Untagged VLAN list The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit packets without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list. The untagged VLAN list applies only to egress traffic on a port.

 

https://docs.fortinet.com...nd-vlan-tagging#Native