Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

One Vlan on multiple ethernet interfaces

Hi,

it is possible on Fortigate 100F to have one vlan configured on multiple ports?

Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?

 

thanks

1 Solution
Benoit_Rech_FTNT

Hello Wojtek,

you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'

See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

Best regards, Benoit

View solution in original post

26 REPLIES 26
Toshi_Esumi
Esteemed Contributor II

So you said your config example above is non-tagged. Then you can still configure IP address on the "VLAN SW"? In other words, with this particular config, the vlan switch provides so-called "native VLAN". But I'm assuming can't have both non-tagged and tagged VLANs on one port at the same time.

 

But when I tried last time with a 60F with "trunk" enabled, I still couldn't stack multiple VLANs. Maybe because I chose different set of ports and only one port had two VLANs. Further test is needing.

 

Toshi

Toshi_Esumi
Esteemed Contributor II

Before start testing this again I wanted to upgrade the 60F to 6.4.9 which was released last week. Then it crashed. TAC said "match a known issue" below:

 

801985:Kernel panic occurs when a virtual switch with VLAN is created, and another port is configured with a trunk.

 

Also said it would be fixed on 6.4.10. I guess this feature is not so stable at this moment.

 

Toshi

vietleanz_FTNT

Hi Toshi

 

Yes, what I see is this feature is not stable, with possible bugs in the latest firmware. For example, if you have a port1 in a VLAN Switch and set trunk enable. Then when you reboot the FortiGate or even reload the config, the port1 will be removed from the VLAN switch, because it has trunk enable and it can't be added to any switches or used any where. I will report this to devs.

 

In short, don't use this feature for now.

 

Viet

Professional Services Consultant A/NZ
Toshi_Esumi
Esteemed Contributor II

I agree, Viet. I had to remove "zombie" hard-switch interface in interface config by removing it from backup config file then restore.
We'll disable this feature for any 60F installations for now.

 

Toshi

vietleanz_FTNT

Ok Toshi, I discussed this with engineering, here are the outcome:

 

1- Later FOS will not let VLAN switch member to be a trunk, you can't set trunk enable if the port is a member of VLAN switch. It means a trunk port is a standalone port.

2- A port when enable trunk will be a dedicated Trunk port (see the GUI) and it must be in the root vdom if you have multiple vdom.

3- Trunk port doesn't support LACP. You can't enable LACP as trunk interface.

4- Trunk port allows all VLAN for now, which is defined in the VLAN Switch (set vlan)

5- The basic setup as below:

 

a- port1, port2 as members of a VLANSwitch - set vlan 10 . The host PC1 connect to port1 or port2.

b- port3 is set as a dedicated trunk port.

c- port3 physically connects to a trunk port (eth0) on an external vlan switch , it allows vlan 10

d- On the external switch, eth1 is access port on vlan 10.

e- The host PC2 connect to eth1 on the external switch.

 

PC1 now can communicate to PC2 on VLAN 10.

Hope it's clear now about vlan switch.

Professional Services Consultant A/NZ
Toshi_Esumi
Esteemed Contributor II

Still not 100% clear to me. But we don't want to use it at least for now if the "trunk" doesn't support LACP agg interface. I don't see clear benefit over combination of hard-switch + stacked up VLAN subinterfaces.

But once 6.4.10 comes out, I'll conduct more comprehensive/exhaustive test. Or the proper documentation from FTNT might be available by that time (I don't have much hope for that part though).

 

Toshi 

sw2090
Honored Contributor

I currently cannot see the use in this. For what do I configure a vlan switch with vid if  it then does not tag the traffic? Then creating a Trunk in my opinion would render the switch useless because the ports are trunked (i.e. they behave like one Port and not a "port replicator" aka switch). So for what would that be good? Can anyone explain that to me?

Since that is completely opositing things I don't really wonder about that leading to a  kernel crash upon upgrading...

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams