Hello.
Is it possible to create _untagged_ SVI on FortiGate (100F for example) ?
I know, that i can just set ip on parent interface, but it's a bit illogical.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It depends on your point of view but basically an untagged VLAN will handle the untagged frames coming in an interface. By default if no VLAN is configured the interface itself will handle this traffic. In case you create a sub interface for a specific VLAN you will end up with 1(native) + 1 tagged interface and so on.
I came from Cisco world.
There, if a router has built-in switch, then it acts as switch, and you can have Vlan1 interface, which will handle VLAN 1 traffic, which is usually came untagged from trunk.
In case of routed interfaces, you may create:
interface Gi0/0/0.1
encapsulation dot1q untagged
ip address ....
etc
Logically separating L2 trunk from L3 interface.
So my question is if it is achievable on FortiGate.
Yes I understand that you are used to in that way.
Routed interface don't do switching so technically there is no trunk on that port, only L3 sub interfaces that accept tagged traffic.
In my opinion the Cisco approach doesn't make too much sense, creating a sub interfaces using a VLAN ID and then choose to accept untagged traffic on it. The frames will not have any VLAN tag at all, so why not use the interface itself to handle this untagged traffic.
As I know you can't use this Cisco style configuration on a FortiGate.
Created on 04-28-2023 04:38 AM Edited on 04-28-2023 04:39 AM
There is a sense - when you operate on parent interface, it affects it's subinterfaces also.
Simple example - suppose you want to sniff packets on 1 vlan interface.
Using FG approach you would need to specifically filter out other vlans, because their traffic will also hit you otherwise.
Or you wish to temporary shut down vlan1 interface...
if you snif on the FGT directly just set the filter to snif traffic on the vlan interface only since all other traffic will not hit that interface.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
How you do that for untagged traffic?
I think ebilcari's interpretation is misunderstandable.
"untagged" as I know it from HP Switches is the same as PVID on DEll Switches. It means all traffic that has no vlan tag or no vlan tag that is tagged on this port will be tagged with the "untagged" vid or pvid.
And exactly this behavior is not supported on Fortigate as far as I know. Vlan interfaces on a FGT always act like a tagged port. That means traffic tagged with that vid will hit the interface and all other traffic will not. The FGT will not touch your vlan tag.
Traffic without tag will hit the interface the vlan iface is attached to. I am not sure what happens to traffic that does have a vlan tag but none known by the FGT.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I think tagged and untagged are concepts coming from the RFC of 802.1Q (https://www.ietf.org/rfc/rfc2674.txt) referring to the VLAN header of the Ethernet frame. Untagged meaning that the frame doesn't have a VLAN header at all (4 bytes).
For switching interfaces, when this frames with no VLAN header reaches the interface, it's treated as part of the native VLAN configured in that port. If this frame need to go over a trunk the switch will put the tag on it before sending it over (from the native VLAN on the port it received the traffic).
For routing interfaces it's just used for selecting the sub interface there is no frame switching involved so there is no need to "tag with the "untagged" vid or pvid".
Thank you, I didn't know that before.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.