Hello team!!!
I hope it goes well for you!
We have 2 different "trunk" interfaces (With different VLANs on each one).
For example:
* VLANs 10, 20 and 30 on port1
* VLANs 40, 50 and 60 on port2
Now, we need to add the VLAN 100 in both trunks interfaces
Because, for example, we need to access from something in VLAN 100 connected to port1 to something on VLAN 100, connected to port2.
We have a managed switch directly connected to port1 and a different managed switch connected to port2
I thought to create the first VLAN Switch (Other 2 are not VLAN switches, just interfaces with VLANs) but I do not believe I will be able to use current port 1 and port 2 on it
So, with my moderate knowledge, I think the following 2 options:
* Create a VLAN switch for different ports (example: port3 and port4), with VLAN 100, and connect both to each managed switch in a different port, with VLAN 100 as tagged
* Create a virtual switch (without VLANs) for different ports (example: port3 and port4), and connect both to each managed switch in a different port, with VLAN 100 as untagged
I think these 2 options are not so prolix.
Is there other option?
What do you suggest?
Thanks in advance.
Regards,
Damián
Solved! Go to Solution.
Hi @damianhlozano ,
You can only create one interface on FortiGate with the same VLAN-ID value, so in this scenario, it would be the best scenario to combine two of the solutions you mentioned according to your topology. For this, based on your topology, I configured a software switch definition on port 3/4 and then created a new interface under this definition with VLAN-ID 100. Then I created 2 different client machines on two different switches and tested end-to-end accesses and I did not encounter any problems.
If you design this way, you will have flexibility if you have similar needs in the future. For example, a new interface can be created for VLAN-ID 200 using the same software switch.
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
Hi @damianhlozano ,
You can only create one interface on FortiGate with the same VLAN-ID value, so in this scenario, it would be the best scenario to combine two of the solutions you mentioned according to your topology. For this, based on your topology, I configured a software switch definition on port 3/4 and then created a new interface under this definition with VLAN-ID 100. Then I created 2 different client machines on two different switches and tested end-to-end accesses and I did not encounter any problems.
If you design this way, you will have flexibility if you have similar needs in the future. For example, a new interface can be created for VLAN-ID 200 using the same software switch.
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
Wow, thanks atakannatak for all the time you take to make this.
I will try your solution.
Thanks again!!
Regards
Damián
Hi there,
> You can only create one interface on FortiGate with the same VLAN-ID value
maybe there's something I don't understand here, but the VLAN documentation (for v7.0.x) says otherwise, and provides an example like so:
config system interface edit VLAN_100_int set type vlan set interface internal set vlanid 100 next edit VLAN_100_ext set type vlan set interface external set vlanid 100 next end
Was this a limitation of previous versions of FortiOS, or I did not grasp the context of the question?
Thanks for extra insights on this,
C.
Hello cgtech!!
I checked this in an active Fortigate and I saw that you can create 2 VLANs with the same VLAN ID, in different Interfaces (The two VLANs cannot have the same name), however, I think devices in a VLAN connected to one port will not reach devices in the same VLAN ID in other port.
Anyway, I dont know why this is allowed, maybe someone here could explain this.
Regards,
Damián
Hello,
Just to know before try this, just if you already know the answer:
Should this work without any rule to allow traffic, right? (In layer 2, like a switch)
Thanks
Regards
Hi,
Actually the clients which are connect through the software switch doesn’t need any rule. However if you want connectivity between these clients and others you must add some rules depends on your desire.
BR.
Thank you, it was what I suspected and what I intended.
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.