Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

One Vlan on multiple ethernet interfaces

Hi,

it is possible on Fortigate 100F to have one vlan configured on multiple ports?

Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?

 

thanks

1 Solution
Benoit_Rech_FTNT

Hello Wojtek,

you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'

See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

Best regards, Benoit

View solution in original post

26 REPLIES 26
Tutek_OLD

This is no problem for me as I have managed switches and I use already tagged MGMT vlan. I'm asking if Fortigate is able to achieve this setup as I soon moving from my current router to Fortigate.

lobstercreed

I think you're conflating routers and layer 3 switches.  I'm not aware of any "router" that can do what you're asking, and that's more what the FortiGate is, so unfortunately not.

sw2090
Honored Contributor

Sounds like you have a similar setup to us:

 

We have management switches that have vlans tagged on their ports. The switches have some uplink to the next siwtch (redundant using spanning tree and trunking). All Traffic that wants to leave the vlan/subnet it comes from will hit the Fortigate in the end. So the FGT has one interface (one port or trunk) connected to the first switch and all vlans are tied to that on the FGT.

Still those are seperated one one hand by the port tagging on the switches and also by the FGT because there will be no inter-vlan-traffic unless a policy explicitely allows it.

 

This is working fine here.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Tutek_OLD

Yes I'm going to do the same config when I will build my new Fortigate. 

Have one more question I don't use in my LAN native VLAN1, my LAN is on other tagged VLANID, is any way on a trunk Fortigate port to ingress filter VLANS and do not accept any untagged vlans? This is intended to more secure my network.

sw2090
Honored Contributor

hm don't think so. But does not matter since you could give the physical interface some dummy config or set it to dhcp ar anything else so it doesn't match any packet coming on there.

Additionally all traffic that don't match any policy on the FGT will it Policy #0 and get dropped. This is FGT default :)

 

Or you set the physical port up for the first vlan (ip config only) and set the uplink to the first switch after the FGT to be untagged in that vlan. This is the way we do. Ports that are not in any vlan are untagged in vid 1 (because HP Switches do require this) and the interface on the FGT carries the ipconfig for the first vlan.

All other vlans are tied to this interface as virtual vlan interfaces with correct vid. Uplink on that switch is tagged in all other vlans. So traffic from other vlan hits the FGT with correct vid and hits the vlan iterface while traffic with no vid or invalid vid gets retagged to 1 by the switch and hits the physical interface because it matches the ip config.

works fine here.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Mistic
New Contributor

You could configure the switch on FortiGate so that multiple physical ports share the same "interface", but you would not be able to tag VLANs on these ports.

sw2090
Honored Contributor

the switch ports will share all vlans that are tied to the switch interface.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

vietleanz_FTNT

It may be late for you but for other viewers. FortiGate 100F supports virtual-switch-vlan 

config system global
set virtual-switch-vlan enable
end

Then you can create a new virtual-switch, add port1, port2 and set vlan id to this vswitch

config system virtual-switch
edit "VLAN SW"
set physical-switch "sw0"
set vlan 5
config port
edit "port1"
next
edit "port2"
next
end
next
end

That way port1 and port2 shared the same vlan 5. But note that traffic that leaves port1 and port2 not tagged.

Another port, .e.g port3 can be configured as a trunk port and connects to a trunk port on an external switch.

config system interface
edit port3
set trunk enable
next
end
end

Traffic from "VLAN SW" on trunk port3 will be tag vlan #5 toward external switch.

Hope this is what you need.

Professional Services Consultant A/NZ
Toshi_Esumi
Esteemed Contributor II

Could you explain how this "virtual-switch-vlan" is different from VLAN subinterface on a hard-switch like below without enabling this feature?

config system virtual-switch

  edit "VLAN-SW"
    set physical-switch "sw0"

    config port
      edit "port1"
      next
      edit "port2"
      next
   end
  next
end

 

config system interface

  edit vlan5

    set vdom "root"

    set interface "VLAN-SW"

    set vlanid 5

  next

end

 

Toshi

vietleanz_FTNT

Hi Toshi

 

For the FGT that supports vlan switch, you need to enable "virtual-switch-vlan" so the config you referenced will work, provided that you need to set trunk on port1 and port2.

 

The document says 'set trunk enable' is optional but I see it requires for the subinterface to work.

 

For the model that doesn't support vlan switch, your config will work anyway.

 

It's very confusing for me too, so I edited the previous reply. It may require some labs for specific use cases.

 

Cheers.

Viet

Professional Services Consultant A/NZ