Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate100F -- Does a VLAN Switch interface act like a trunk port?

I have a Fortigate 100F. I have aggregated four Physical ports, 1-4, into a VLAN Switch interface. I have set the 'Role' of the VLAN Switch interface to LAN, set the 'VLAN ID' of the VLAN Switch to 10, and I have assigned an IP address and subnet mask to the VLAN Switch interface. I then created 4 VLAN type subinterfaces on the VLAN Switch interface, VLAN ID: 20,30,40,50, all with non-overlaping IP addresses\netmask.


The mental model I have in my head about how a VLAN Switch in FortiGate works is that it operates like a trunk link, transporting traffic tagged with multiple vlans, as well as untagged traffic (native vlan traffic), to other VLAN aware Layer 2 devices, such as Managed switches, with the added benefit of link redundancy because a VLAN Switch interface is formed from multiple physical ports.


What I wanted to create was a "firewall-on-a-stick" setup where the end devices in the various vlans (10-50) connect to a managed Aruba 2930F switch which trunks over (via multiple cables) to the FortiGate 100F on ports 1-4 (the VLAN switch) for intervlan routing and firewall policy processing purposes. The IP address I assigned to each VLAN subinterface on the VLAN Switch is the IP address I assign as the default gateway of end devices residing in the same VLAN. For example, end devices in VLAN 30 have a default gateway IP equal to the IP assigned to the VLAN 30 subinterface on the VLAN Switch interface. Likewise, end devices in vlan 10 have a default gateway IP equal to the IP address assigned to the VLAN Switch interface (native vlan). Unfortunately, with this setup, I cannot ping the VLAN subinterface "gateways" from the end devices:  For example, I cannot ping the VLAN 40 subinterface from an end device on VLAN 40 through the Aruba 2930F trunk link -- I am tagging the appropriating traffic on the Aruba interface connecting to the FortiGate; I also cannot ping the VLAN 40 subinterface from an end device on VLAN 40 when connecting directly to the FortiGate on any of ports 1-4, bypassing the Aruba 2930F managed switch entirely -- I am setting the network adapter to tag VLAN traffic directly.


Only devices on VLAN 10 (the native vlan -- untagged) can ping anything. End device on VLAN 10 can ping the VLAN Switch "gateway" IP and can ping VLAN subinterfaces "gateways" on the VLAN Switch, provided that the appropriate firewall policies are in place to allow this. I am currently plugging end devices on VLAN 10 directly into the FortiGate on ports 1-4, but I think I was able to do it through the Aruba Switch earlier.


All devices are directly connected to the FortiGate 100F firewall so routing should not be an issue. All interfaces and subinterfaces are set to allow PING administrative traffic. All needed firewall policies are in place to allow pinging between interfaces. Trusted Host is not enabled on the firewall. All interfaces/subsinterfaces are the same VDOM (root). Why can't I ping? What don't I understand about how VLAN Switch interfaces work on FortiGate? If VLAN Switch interface is not appropriate for firewall-on-a-stick, what alternative can I employ in FortiGate to make a firewall-on-a-stick setup for inter-vlan routing? I really want the redundancy benefit of aggregated ports.


Thank you for your time and consideration.


if you want to connect a switch with multiple ports to me a (vlan) Switch on the FGT doesn't make sense. Shouldn't it then more be an aggregated interface?


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Contributor II

What you will do is create an Aggregate interface (802.3ad) with all of the physical interfaces you want to bundle. You then create new interfaces choosing the VLAN as the type, then the Aggregate you created earlier as the interface, specifying the VLAN ID, etc... You assign each of those VLANs an IP address, administrative access, etc... and then create your various policies between each as you deem needed.


On your Aruba switch, you will create a trunk interface with all of the connected switch ports to the FortiGate. So something like this from the CLI on the Aruba.


trunk 1/1-1/4 trk1 lacp


Create those same VLANs on the switch (L2) and "tagged trk1" so that they pass those VLANs to the firewall (L3) that does the routing between.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors