Hi,
it is possible on Fortigate 100F to have one vlan configured on multiple ports?
Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?
thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Wojtek,
you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'
See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014
Best regards, Benoit
This is no problem for me as I have managed switches and I use already tagged MGMT vlan. I'm asking if Fortigate is able to achieve this setup as I soon moving from my current router to Fortigate.
I think you're conflating routers and layer 3 switches. I'm not aware of any "router" that can do what you're asking, and that's more what the FortiGate is, so unfortunately not.
Sounds like you have a similar setup to us:
We have management switches that have vlans tagged on their ports. The switches have some uplink to the next siwtch (redundant using spanning tree and trunking). All Traffic that wants to leave the vlan/subnet it comes from will hit the Fortigate in the end. So the FGT has one interface (one port or trunk) connected to the first switch and all vlans are tied to that on the FGT.
Still those are seperated one one hand by the port tagging on the switches and also by the FGT because there will be no inter-vlan-traffic unless a policy explicitely allows it.
This is working fine here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Yes I'm going to do the same config when I will build my new Fortigate.
Have one more question I don't use in my LAN native VLAN1, my LAN is on other tagged VLANID, is any way on a trunk Fortigate port to ingress filter VLANS and do not accept any untagged vlans? This is intended to more secure my network.
hm don't think so. But does not matter since you could give the physical interface some dummy config or set it to dhcp ar anything else so it doesn't match any packet coming on there.
Additionally all traffic that don't match any policy on the FGT will it Policy #0 and get dropped. This is FGT default :)
Or you set the physical port up for the first vlan (ip config only) and set the uplink to the first switch after the FGT to be untagged in that vlan. This is the way we do. Ports that are not in any vlan are untagged in vid 1 (because HP Switches do require this) and the interface on the FGT carries the ipconfig for the first vlan.
All other vlans are tied to this interface as virtual vlan interfaces with correct vid. Uplink on that switch is tagged in all other vlans. So traffic from other vlan hits the FGT with correct vid and hits the vlan iterface while traffic with no vid or invalid vid gets retagged to 1 by the switch and hits the physical interface because it matches the ip config.
works fine here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
You could configure the switch on FortiGate so that multiple physical ports share the same "interface", but you would not be able to tag VLANs on these ports.
the switch ports will share all vlans that are tied to the switch interface.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
It may be late for you but for other viewers. FortiGate 100F supports virtual-switch-vlan
config system global
set virtual-switch-vlan enable
end
Then you can create a new virtual-switch, add port1, port2 and set vlan id to this vswitch
config system virtual-switch
edit "VLAN SW"
set physical-switch "sw0"
set vlan 5
config port
edit "port1"
next
edit "port2"
next
end
next
end
That way port1 and port2 shared the same vlan 5. But note that traffic that leaves port1 and port2 not tagged.
Another port, .e.g port3 can be configured as a trunk port and connects to a trunk port on an external switch.
config system interface
edit port3
set trunk enable
next
end
end
Traffic from "VLAN SW" on trunk port3 will be tag vlan #5 toward external switch.
Hope this is what you need.
Could you explain how this "virtual-switch-vlan" is different from VLAN subinterface on a hard-switch like below without enabling this feature?
config system virtual-switch
edit "VLAN-SW"
set physical-switch "sw0"
config port
edit "port1"
next
edit "port2"
next
end
next
end
config system interface
edit vlan5
set vdom "root"
set interface "VLAN-SW"
set vlanid 5
next
end
Toshi
Created on 04-30-2022 11:46 PM Edited on 04-30-2022 11:48 PM
Hi Toshi
For the FGT that supports vlan switch, you need to enable "virtual-switch-vlan" so the config you referenced will work, provided that you need to set trunk on port1 and port2.
The document says 'set trunk enable' is optional but I see it requires for the subinterface to work.
For the model that doesn't support vlan switch, your config will work anyway.
It's very confusing for me too, so I edited the previous reply. It may require some labs for specific use cases.
Cheers.
Viet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.