Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gradius85
New Contributor III

vlan and tagging

I need to perform routing on a stick with Cisco switches, so I need to create vlans on my Fortigate interfaces.

 

https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883

 

Reviewed the above link/article - but what is interesting - an IP is already assigned at the physical interface. Does that IP and physical interface get bonded to vlan1 untagged? Noticed how the instructions use 'vlanid 100', which I would suspect be applying the vlan 100 tag on the 802.1Q port.

 

I do not have a lab to play/test this; however, I want to minimize the possibility in advance of running into a 'vlan 1 mismatch'.

 

What I am thinking, that NO IP address should be applied at the physical interface, and only IP addresses applied on sub interfaces, which would make sense if this was Cisco and their concept of SVI.

 

What is the best way to tag vlans on the Fortigate when needing to provide routing on a stick capability for Cisco and some HP switches.

 

9 REPLIES 9
emnoc
Esteemed Contributor III

Follow the KB and address already or assigned to the interface would untagged and follow the cisco native vlan for that port it's connected with.

 

So defined your trunk port and allow vlan and cfg the vlan-id on the FGT.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gradius85
New Contributor III

emnoc wrote:

Follow the KB and address already or assigned to the interface would untagged and follow the cisco native vlan for that port it's connected with.

 

So defined your trunk port and allow vlan and cfg the vlan-id on the FGT.

 

Ken Felix

 

Do you know if Fortigate has the SVI concept, where you can make subinterfaces with IP address assigned? IMHO I do not find the Fortigate KB very helpful beyond the "lets get going" level for quick startup. Not to mention I have not been able to find a good (Cisco 2 Fortigate) speak translation in concepts; however, I am new to Fortigate, but it seems to be a good product.

lobstercreed

Mismatch native VLAN alarm is just that, an alarm.  It still functions, but potentially bridges networks that are meant to be separated if you do it wrong.  Think of your ISP handoff....you use untagged VLAN whatever, but the ISP may use untagged VLAN something else on their side.  It doesn't matter in this case as the networks are intentionally bridged.

 

But yes, the physical interface is always untagged.  I think that's what Sebastian was trying to tell you by saying the VLAN is always a virtual (or sub-) interface.  FortiGate SVI isn't exactly like Cisco in the sense that it can't be attached to multiple physical interfaces, but instead is bonded to the single physical interface it is created on.

 

It seems like you need to trust your understanding of it as you seem to have all the concepts correct from what I can see.

gradius85

lobstercreed wrote:

Mismatch native VLAN alarm is just that, an alarm.  It still functions, but potentially bridges networks that are meant to be separated if you do it wrong.  Think of your ISP handoff....you use untagged VLAN whatever, but the ISP may use untagged VLAN something else on their side.  It doesn't matter in this case as the networks are intentionally bridged.

 

But yes, the physical interface is always untagged.  I think that's what Sebastian was trying to tell you by saying the VLAN is always a virtual (or sub-) interface.  FortiGate SVI isn't exactly like Cisco in the sense that it can't be attached to multiple physical interfaces, but instead is bonded to the single physical interface it is created on.

 

It seems like you need to trust your understanding of it as you seem to have all the concepts correct from what I can see.

Ok much appreciated! I will have to dig through the Fortigate, because the 'potentially bridges networks' is a big issue in my case in this deployment.

 

However, thank you for your insight!

sw2090
Honored Contributor

basically a vlan on a fortigate is always threated as a virtual interface. That is just bond to a physical interface.

So the physical interface stays on its own and can have its ownb ip and policies etc. Same for the vlan interface.

Also vlans on FGT are always tagged.

So if traffic reaches the physical interace and is tagged with the vid of your vlan it will go to the virtual interface...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
lobstercreed
Valued Contributor

You can absolutely use the physical interface as well as the virtual ones.  FortiGate will send/receive packets through it untagged, so it doesn't matter what VLAN ID you configure as native/untagged on the other side (Cisco switch). 

 

Since people get hung up on how to do this properly though, it's not a bad idea to leave no IP and not use the interface for untagged traffic at all.  It might make it easier for the person after you.

gradius85

lobstercreed wrote:

You can absolutely use the physical interface as well as the virtual ones.  FortiGate will send/receive packets through it untagged, so it doesn't matter what VLAN ID you configure as native/untagged on the other side (Cisco switch). 

 

Since people get hung up on how to do this properly though, it's not a bad idea to leave no IP and not use the interface for untagged traffic at all.  It might make it easier for the person after you.

I am not sure that is 100% true with what you say "so it doesn't matter what VLAN ID you configure as native/untagged on the other side (Cisco switch)".  I have seen where this could lead to a mismatch vlan alarm on the Cisco side.

 

So are you saying that the top level is always untagged? Looking at the KB it appears that way and how the tag is not applied.

gradius85
New Contributor III

sw2090 wrote:

basically a vlan on a fortigate is always threated as a virtual interface. That is just bond to a physical interface.

So the physical interface stays on its own and can have its ownb ip and policies etc. Same for the vlan interface.

Also vlans on FGT are always tagged.

So if traffic reaches the physical interace and is tagged with the vid of your vlan it will go to the virtual interface...

You confuse me!

The KB shows the vlanid only being applied to the subinterface, and not the top level. Cisco has a concept called SVI, does Fortigate have that concept?

sw2090
Honored Contributor

yes the vlanid is only applied to the subinterface. The word "untagged" is somehow confusing. Because on switches it usually doesn't mean there is no vlan tag on that traffic. On most switches "untagged" indeed means that all traffic that doesnt have a vlan tag or has vlan tag that doesn't match any vlan that is tagged on that port will be re-tagged to the "untagged" vlan.

 

On a FGT it means traffic that has a vlan id matching a vlan subinterface will hit the subinterface and traffic coming from vlan subinterface will be tagged with that subinterface's vlan id. All other traffic will not get a vlan tag at all on the FGT and will hit the physical interface then (Or come from there).

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors