Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexPien
New Contributor II

Created on ‎10-10-2023 01:20 PM

FortiGate to FortiSwitch PVLAN configuration

Hi together,

 

We have some FG2600F and FS1048E and I want to implement PVLAN on my FortiSwitch infrastructure. Unfortunately my first tests failed and I am not sure if I have a problem in the design, or in the configuration. 

 

We want to implement some VLANs, with community and isolated vlans as subvlans. On the FortiGate I have a VLAN interface on the FortiLINK LinkAgg which is for example vlan 100 and has an IP 10.0.1.1/24. In the FortiSwitch configuration I said, that the vlan 101 is the isolation vlan of the vlan 100 and 110,111, ... are my community vlans. All clients of vlan 101, 110 and 111 have the IP addresses of the range of the vlan 100. But in the isolated vlan the VMs have no possibility to talk to each other. And in the community vlans they are able to talk to eachother inside the same community.

 

The configuration of the PVLAN on the FortiSwitch is straight forward, but I am in struggle with the configuration of the Promiscuous Port, which should be the FortiLink. As well I see some difficulties, when it comes to the vendor break, because we still have some Cisco Switches in the environment. 

 

FortiSwitch-PVLAN.jpg

I appreciate your feedback. I really like the idea of using PVLAN inside the infrastructure to add additional security. Unfortunatelly the topic is quite bad documented. 

 

Best Regards 

 

FortiSwitch

FortiGate 

Labels:
2176
0 Kudos
4 REPLIES 4
ebilcari
Staff
Staff

Created on ‎10-11-2023 03:01 AM

I'm not aware of a method to mix PVLAN and FortiLink mode. What you can do if it fits your requirements is to use "Block intra-VLAN traffic". It's a feature that can be enabled at VLAN level and will force all the intra VLAN traffic to pass through FGT.

Proxy ARP need to be enabled on the GW (interface in FGT) and a Firewall policy (same interface as source and destination) will control the traffic between the hosts that are part of the same VLAN.

Keep in mind that this may not be feasible for VLANs in DC that have large amount of horizontal traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2149
AlexPien
New Contributor II

Created on ‎10-23-2023 12:19 AM

Thanks for your feedback. Unfortunately I can't use this feature, because I have isolated and community vlans in my infrastructure.

 

I already have seen that PVLAN is not supported in FortiLINK mode. Now I have reset my switches and I have put them in standalone mode. The problem is, that I do not see any documentation about promicious trunk port in the FortiSwitch documentation. I think I need this feature, otherwise I can't implement this setup as expected. Any ideas?  

2054
0 Kudos
ab1875
New Contributor
In response to AlexPien

Created on ‎02-18-2024 12:31 PM

Hi Alex, did you ever solve this? I am also struggling with getting this to work.

1755
0 Kudos
AlexPien
New Contributor II
In response to ab1875

Created on ‎02-19-2024 05:36 AM

Hi, 

well I found a solution in this case. There are some difficulties:

1. Forti Switch must be in standalone mode, no FortiLink mode

 

2. PVLAN is only supported with native vlan, 1 vlan per physical interface or LAG, because Fortinet does not support promiscous trunk only promiscous port -> based on this I have configured multiple 4x 2x10G links between FortiSwitch and FortiGate and configured on each LAG a native vlan and on this the private vlan. 

 

Is this answering your question? If necessary I can add some configuration or sketch later. But currently I have only less time. 

1734
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.