Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate100F -- Does a VLAN Switch interface act ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate100F -- Does a VLAN Switch interface act like a trunk port?
I have a Fortigate 100F. I have aggregated four Physical ports, 1-4, into a VLAN Switch interface. I have set the 'Role' of the VLAN Switch interface to LAN, set the 'VLAN ID' of the VLAN Switch to 10, and I have assigned an IP address and subnet mask to the VLAN Switch interface. I then created 4 VLAN type subinterfaces on the VLAN Switch interface, VLAN ID: 20,30,40,50, all with non-overlaping IP addresses\netmask.
The mental model I have in my head about how a VLAN Switch in FortiGate works is that it operates like a trunk link, transporting traffic tagged with multiple vlans, as well as untagged traffic (native vlan traffic), to other VLAN aware Layer 2 devices, such as Managed switches, with the added benefit of link redundancy because a VLAN Switch interface is formed from multiple physical ports.
What I wanted to create was a "firewall-on-a-stick" setup where the end devices in the various vlans (10-50) connect to a managed Aruba 2930F switch which trunks over (via multiple cables) to the FortiGate 100F on ports 1-4 (the VLAN switch) for intervlan routing and firewall policy processing purposes. The IP address I assigned to each VLAN subinterface on the VLAN Switch is the IP address I assign as the default gateway of end devices residing in the same VLAN. For example, end devices in VLAN 30 have a default gateway IP equal to the IP assigned to the VLAN 30 subinterface on the VLAN Switch interface. Likewise, end devices in vlan 10 have a default gateway IP equal to the IP address assigned to the VLAN Switch interface (native vlan). Unfortunately, with this setup, I cannot ping the VLAN subinterface "gateways" from the end devices: For example, I cannot ping the VLAN 40 subinterface from an end device on VLAN 40 through the Aruba 2930F trunk link -- I am tagging the appropriating traffic on the Aruba interface connecting to the FortiGate; I also cannot ping the VLAN 40 subinterface from an end device on VLAN 40 when connecting directly to the FortiGate on any of ports 1-4, bypassing the Aruba 2930F managed switch entirely -- I am setting the network adapter to tag VLAN traffic directly.
Only devices on VLAN 10 (the native vlan -- untagged) can ping anything. End device on VLAN 10 can ping the VLAN Switch "gateway" IP and can ping VLAN subinterfaces "gateways" on the VLAN Switch, provided that the appropriate firewall policies are in place to allow this. I am currently plugging end devices on VLAN 10 directly into the FortiGate on ports 1-4, but I think I was able to do it through the Aruba Switch earlier.
All devices are directly connected to the FortiGate 100F firewall so routing should not be an issue. All interfaces and subinterfaces are set to allow PING administrative traffic. All needed firewall policies are in place to allow pinging between interfaces. Trusted Host is not enabled on the firewall. All interfaces/subsinterfaces are the same VDOM (root). Why can't I ping? What don't I understand about how VLAN Switch interfaces work on FortiGate? If VLAN Switch interface is not appropriate for firewall-on-a-stick, what alternative can I employ in FortiGate to make a firewall-on-a-stick setup for inter-vlan routing? I really want the redundancy benefit of aggregated ports.
Thank you for your time and consideration.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you want to connect a switch with multiple ports to me a (vlan) Switch on the FGT doesn't make sense. Shouldn't it then more be an aggregated interface?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you will do is create an Aggregate interface (802.3ad) with all of the physical interfaces you want to bundle. You then create new interfaces choosing the VLAN as the type, then the Aggregate you created earlier as the interface, specifying the VLAN ID, etc... You assign each of those VLANs an IP address, administrative access, etc... and then create your various policies between each as you deem needed.
On your Aruba switch, you will create a trunk interface with all of the connected switch ports to the FortiGate. So something like this from the CLI on the Aruba.
trunk 1/1-1/4 trk1 lacp
Create those same VLANs on the switch (L2) and "tagged trk1" so that they pass those VLANs to the firewall (L3) that does the routing between.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Standalone FortiSwitch default route 179 Views
- Seeking Guidance on Configuring DHCP Relay... 289 Views
- Softphone users one way audio 126 Views
- Fortigate 40F Slow Upload Speeds 177 Views
- Software Switching and Fortlink 803.ad interfaces... 270 Views
Labels
-
FortiGate
8,499 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.