Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Network_Engineer
New Contributor III

SVI and Sub-Interface Configuration Using GUI

Q1 How do you configure a switch virtual interface and
do vlan tagging on the firewall ports using GUI?

 

Q2 If it is possible, pls do guide me and advice if I am supposed
to use a software switch or a hardware switch?

 

Q3 How come there can be 3 ip addresses for the physical
and virtual interfaces? Ip addresses should only be on the physical
or virtual interface, not both. (there are one physical and 2 virtual interfaces)

 

Q4 How do you configure an interface and assign sub-interfaces to it
using GUI?

1 Solution
Toshi_Esumi
Esteemed Contributor III

A1. Again no SVI. No way with FortiGates. FGTs are not "L2/L3 switch-router".

 

Toshi

View solution in original post

12 REPLIES 12
sharmaj
Staff
Staff
akristof
Staff
Staff

Hello,

 

Thank you for your questions.

Answer to your Q1 and Q3. Go to Network -> Interfaces -> Create New.

And there you have option to create different type of interfaces, for example Virtual-switch and hardware-switch (some options might be missing based on model, firmware, etc). Also, you have option to enable and configure secondary IP address to the interface.

akristof_0-1646913632819.png

 

Difference between Software-switch and hardware-switch is that not all devices have option to create hardware-switch. Purpose of hardware-switch is to bound together multiple hardware ports. Main difference is that traffic via hardware switch is possible to offload to ASIC, while software-switch process all packets via CPU:

https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/100999/hardware-switch

 

And to answer your last questions. It depends what kind of sub-interface you want to create. For example, if you are creating VLAN, you need to specify to which parent interface this VLAN belong. If you are creating Ipsec tunnel, after you will configure it and if you configure route-based VPN, system will create tunnel interface, etc.

Adrian
Network_Engineer

Hi,

So vlan is physical vlan?

Software switch is logical vlan?

 

I want to create router on a stick.

One interface have multiple vlan.

This is the subinterface I want to create.

How to do it?

akristof

Hey,

 

As my colleague share the docs, check this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-VLAN-tagged-interface-802-...

This will show you how to create VLAN on specific interface.

 

Vlan is not a physical interface and software-switch is not a logical vlan. Software-switch is switch.

Adrian
Network_Engineer

ok. in that case, since software switch is not logical vlan, how do i create a logical vlan?

 

How do you differentiate between logical and physical vlan?

 

20220309_113247.jpg

 

For these 3 interfaces, why is it possible to assign ip addresses on physical and logical interfaces at the same time?

 

If i connect to this interface, what ip address will i get?

akristof

Hello,

 

In your case, internal2 interface is untagged, SVI-1 is tragged as vlan 1 and SVI-10 is tagged as vlan10 I guess. So if you connect PC directly to internal2 interface, without any config, PC will send untagged traffic. So you will get IP from that interface. If you will put switch in the middle, switchport connected to FortiGate should be trunk. And the rest should be clear, based on access port vlan, traffic will be received by interface based on tag vlan.

Adrian
Network_Engineer

Hi,

 

Q1 Is it possible not to configure any ip addresses on the first interface and any configure on the sub interfaces?

 

Q2 Is it possible to form an etherchannel and configure ip address only on the sub interfaces?

 

Toshi_Esumi
Esteemed Contributor III

BTW, with FortiGate architecture, "SVI" concept doesn't exist. All sub-interfaces are attached to their parent interfaces. The parent can be a single physical port, aggregated LAG interface, combined hard- or soft-switch interface. But never "float" with a VLAN tag. 

 

Toshi

Network_Engineer

Good day,

Q1 Since there is no way to configure a logical vlan,

Is there any workaround for this?

 

Also I am still confused between software switch and vlan.

Q2 Isnt a vlan a virtual switch, so virtual switch is the same as software switch?

I am new to fortigate so please kindly clarify my questions.

Thank you. 

Labels
Top Kudoed Authors