Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

Firewall "Software switch "with IP address config only

I assume that the layer3 interface is tagged with vlan 1?

 

What happens if I put an access vlan on a another switch port that is connected to this firewall port?

1 Solution
Toshi_Esumi
Esteemed Contributor III

No. With all FGTs, all physical and parent interfaces are NOT tagged and no association to any VLANs configured in the unit. And VLAN ID 1 is reserved. See below KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111

If you configured an "access port" on a switch, packets coming out/in are non-tagged. So only those non-VLAN/parent interfaces can communicate with.

 

Toshi

View solution in original post

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

No. With all FGTs, all physical and parent interfaces are NOT tagged and no association to any VLANs configured in the unit. And VLAN ID 1 is reserved. See below KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111

If you configured an "access port" on a switch, packets coming out/in are non-tagged. So only those non-VLAN/parent interfaces can communicate with.

 

Toshi

BusinessUser

So the fortigate firewall have layer 3 ip.

I can only use dumb layer 2 switch to connect to it?

How about switchport mode access, switchport access vlan 1? 

Toshi_Esumi
Esteemed Contributor III

You can connect L3 switch as well, of course. Just avoid IP conflict. In that case, both are routers.

FGTs basically don't have concept of SVI except the virtual VLAN switch interface, which can have a native VLAN interface for most of "F"-series FGTs. Also they don't have concept of "switchport mode access" because it's not a switch or switch-router. It's similar to old Cisco routers like 26xx, 19xx, etc. You can stack vlan on the physical port but no SVI.

"software switch" interface is the same. You can configure a soft-switch including muitiple physical interface as well as wifi(SSID) interfaces to have one IP/IP subnet. But it's not tagged. And again, you can stack up mutiple VLANs on it.

 

Toshi

BusinessUser

"stack up multiple vlan" meaning sub-interfaces with vlan?

Toshi_Esumi
Esteemed Contributor III

Yes. That's what I meant.

Labels
Top Kudoed Authors