Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ShyLionCy
New Contributor

FortiGate untagged SVI?

Hello.

Is it possible to create _untagged_ SVI on FortiGate (100F for example) ?

I know, that i can just set ip on parent interface, but it's a bit illogical.

9 REPLIES 9
ebilcari
Staff
Staff

It depends on your point of view but basically an untagged VLAN will handle the untagged frames coming in an interface. By default if no VLAN is configured the interface itself will handle this traffic. In case you create a sub interface for a specific VLAN you will end up with 1(native) + 1 tagged interface and so on.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ShyLionCy

I came from Cisco world.

There, if a router has built-in switch, then it acts as switch, and you can have Vlan1 interface, which will handle VLAN 1 traffic, which is usually came untagged from trunk.

 

In case of routed interfaces, you may create:

interface Gi0/0/0.1

  encapsulation dot1q untagged

  ip address ....

  etc

 

Logically separating L2 trunk from L3 interface.

 

So my question is if it is achievable on FortiGate.

 

ebilcari

Yes I understand that you are used to in that way.

Routed interface don't do switching so technically there is no trunk on that port, only L3 sub interfaces that accept tagged traffic.

In my opinion the Cisco approach doesn't make too much sense, creating a sub interfaces using a VLAN ID and then choose to accept untagged traffic on it. The frames will not have any VLAN tag at all, so why not use the interface itself to handle this untagged traffic.

As I know you can't use this Cisco style configuration on a FortiGate.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
ShyLionCy

There is a sense - when you operate on parent interface, it affects it's subinterfaces also.

Simple example - suppose you want to sniff packets on 1 vlan interface.

Using FG approach you would need to specifically filter out other vlans, because their traffic will also hit you otherwise.

Or you wish to temporary shut down vlan1 interface...

 

sw2090
Honored Contributor

if you snif on the FGT directly just set the filter to snif traffic on the vlan interface only since all other traffic will not hit that interface.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ShyLionCy

How you do that for untagged traffic?

sw2090
Honored Contributor

I think ebilcari's interpretation is misunderstandable.

 

"untagged" as I know it from HP Switches is the same as PVID on DEll Switches. It means all traffic that has no vlan tag or no vlan tag that is tagged on this port will be tagged with the "untagged" vid or pvid.

And exactly this behavior is not supported on Fortigate as far as I know. Vlan interfaces on a FGT always act like a tagged port. That means traffic tagged with that vid will hit the interface and all other traffic will not. The FGT will not touch your vlan tag.

Traffic without tag will hit the interface the vlan iface is attached to. I am not sure what happens to traffic that does have a vlan tag but none known by the FGT.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ebilcari

I think tagged and untagged are concepts coming from the RFC of 802.1Q (https://www.ietf.org/rfc/rfc2674.txt) referring to the VLAN header of the Ethernet frame. Untagged meaning that the frame doesn't have a VLAN header at all (4 bytes).


For switching interfaces, when this frames with no VLAN header reaches the interface, it's treated as part of the native VLAN configured in that port. If this frame need to go over a trunk the switch will put the tag on it before sending it over (from the native VLAN on the port it received the traffic).

For routing interfaces it's just used for selecting the sub interface there is no frame switching involved so there is no need to "tag with the "untagged" vid or pvid".

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
EllaForrest

Thank you, I didn't know that before.

Top Kudoed Authors