Hi,
On FortiGate 100F I create vlan50, vlan60, vlan70 and make port1, port2 as trunk(vlan50, vlan60, vlan70), how can I make port3 access vlan50?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You create a firewall policy to allow access from (srcintf) port3 to (dstintf) vlan50
I need to assign port3 vlan50
why? is port3 in vlan50 also? FortiGate is a router, not a switch
Created on 11-12-2024 05:13 AM Edited on 11-12-2024 06:14 AM
port 3 untagged vlan50,
If vlan50 is tagged for port1 and 2 I can't make it untagged for port 3 on the FortiGate?
The Vlan tag is is a 32-bit field between the source MAC address and the EtherType fields of the original frame. There's nothing more to it. If the packet has Vlan tag 50 as it arrives on an interface, it is accepted, vlan tag stripped, then it is sent to the destination according to the firewall policy. That destination port may be port3, and have a different vlan. The vlan tag should be applied upon exiting the unit. It doesn't make much sense to have port3 in Vlan50 as well - you are wasting ports on a firewall instead of using the port in the switch and tag the traffic there. This doesn't mean that it's not possible to do it. Some examples:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setup-comparison-between-FortiGate-Hardwar...
I don't have a FortiSwitch,
I have a channel untagged and need to connect to untagged port3(vlan50) and pass tagged vlan50 to port1,2
> how can I make port3 access vlan50?
Not possible with the way you configured this currently.
For incoming packets, untagged frames will be considered as arriving on the logical interface "switch2", and tagged frames will be considered as arriving on the logical interface that has the matching VLAN-ID (so presumably VLAN-ID=50 => interface "vlan50", etc.)
Egress is controlled by routing table, and if the egress interface is a VLAN-interface, the frame gets tagged with the appropriate VLAN-ID when it finally egresses out of the underlying physical interface.
"VLAN switch" could be the feature you're looking for, but be aware that this will require reconfiguration/redesign of the interfaces.
docs: https://docs.fortinet.com/document/fortigate/7.4.5/administration-guide/183531
In this mode you create virtual switches, whose members are "access port" (accept untagged traffic), and then selectively pick individual interfaces to act as trunks (but you can't select specific VLANs to be trunked, it's all or nothing).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.