Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ahmed_Elswify
New Contributor

Created on ‎02-13-2023 03:46 AM

Managed FortiSwitch allow all vlan ids on 802.1q trunk port

Hello,

 

Is there a way to allow all vlans on a port (the whole range of vlan ids not only the vlans defined on the FGT),

Thanks in advance.

 

Best Regards,

Ahmed Elswify

Labels:
773
0 Kudos
6 REPLIES 6
ebilcari
Staff
Staff

Created on ‎02-13-2023 05:49 AM

There is the option from the GUI to choose All as seen below:

ebilcari_0-1676296005608.png

or CLI:

config switch-controller managed-switch
edit "port2"
set poe-capable 1
set vlan "Administrata"
set allowed-vlans-all enable

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
761
Ahmed_Elswify
New Contributor
In response to ebilcari

Created on ‎02-13-2023 11:04 PM

Hello Emirjon,

Thanks for your reply, as far as I understand, this option will only allow the "defined" vlans (vlans already created on the FGT).

BR,

745
0 Kudos
ebilcari
Staff
Staff
In response to Ahmed_Elswify

Created on ‎02-14-2023 07:29 AM

Yes, the VLAN configured via FGT are the same VLAN configured on the switch. Each time you create a new VLAN you don't have to manually include it on each port that have the allow all. What are your trying to achieve here? 


In my knowledge every switch (different vendors) will accept and forward tagged traffic coming only from already configured VLANs and drop any tagged traffic if they don't have a VLAN configured for it.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
733
0 Kudos
Ahmed_Elswify
New Contributor
In response to ebilcari

Created on ‎02-14-2023 11:56 PM

I ran into a use case in which I need to allow all the vlan range (1-4094) not only the configured ones,

I've found a way, under 'config switch-controller global' the option 'set vlan-all-mode' defines whether to allow the whole range 'all' or only the defined ones 'defined', but this will be applied to all the trunk ports on all the managed switches, also this option would increase the data processing on the switch.

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/546342/configuring-v...

 

https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/173280/optional-fort...

 

I believe there is another way through executing a FortiSwitch custom script from the FGT, but I have not tested it yet.

 

config switch-controller custom-command
edit "allowed-vlan-range"
set command "config switch interface %0a edit port1 %0a set allowed vlans [1-4094] %0a end %0a"
next
end

722
0 Kudos
ebilcari
Staff
Staff
In response to Ahmed_Elswify

Created on ‎02-15-2023 02:33 AM

I didn't know that command and don't know the consequences on the performance.
The technique used to pass this VLANs from one perimeter to another like a Service Provider is Q-in-Q, maybe you can give it a try: https://docs.fortinet.com/document/fortiswitch/7.0.0/administration-guide/146340/vlan-stacking-qinq

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
716
Ahmed_Elswify
New Contributor

Created on ‎02-13-2023 11:02 PM Edited on ‎02-13-2023 11:03 PM

.

745
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.