Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JoseVold
New Contributor

VLAN Switch on 100f not giving out native IP address on trunk

Hello everyone,

 

Looking for a solution to this after a week of searching and trying.

 

I wanted to setup a FG 100F v7.0.15  to be a vlan switch. I removed all the ports from the switch except port1 as it will not allow me to remove the last port of course. Problem... after setting up all the vlan switch vlans and adding the ports I want to the vlans, I create the trunk. 

 

The trunk will not hand out the IP address from native vlan 1 or 0 on this product. To test my work before adding to the network, I take the PC and tag the NIC with the corresponding VLAN and I get the correct IPs per VLAN. If I remove all tags on the NIC leavin the NIC on 0 (Untagged) I get nothing when I am expecting the native VLAN 1 IP addressing.

 

 

What gives here? 

2 Solutions
Toshi_Esumi

FGT's VLAN switch "trunk" port is NOT a general trunk port you're familiar with.
It (ASIC) is not designed to do what you're thinking it "should" do. It would just aggregate ONLY those native VLANs configured on VLAN switch interfaces I showed above.

Toshi

View solution in original post

Toshi_Esumi

I felt the same when I tested last few years with 6.4.x and 7.0.x. FTNT couldn't come up with a good terminology other than "trunk" when they developed this new feature with new chip.

Toshi

View solution in original post

10 REPLIES 10
dingjerry_FTNT

Hi @JoseVold ,

 

My understanding is, usually, you connect a managed switch to the physical interface on FGT. That physical interface will act as a trunk interface. 

 

So if the untagged packet is coming through the managed switch, most of the switch will tag it with the native VLAN ID. So FGT will see it with a VLAN ID tagged and will give out the DHCP IP accordingly.

 

However, if you connect to the physical interface directly, not via a managed switch,  I am not sure (because I couldn't find any official doc about it) whether this interface will tag any untagged packets or not.

 

Regards,

Jerry
JoseVold

You do not need a switch to test this. You need a device that can tag vlans. If you have a NIC card on a PC or MAC is the same as a switch doing it. As long as the NIC allows you to add a vlan-id. 

 

You can test your work this way. 

Toshi_Esumi
SuperUser
SuperUser

First, any ports not a part of VLAN switch(config system virtual-switch) interface would not be a part of FGT's VLAN switch "trunk" port. Only the native VLAN you configured in the VLAN switch interface like below would be a part of the "trunk" port.

config system virtual-switch
    edit "VLAN10"
        set physical-switch "sw0"
        set vlan 10      <-- native vlan
        config port
            edit "internal1"
            next
            edit "internal2"
            next
        end
    next
end

 Second, VLAN 1 is reserved and wouldn't work if you configured.
https://docs.fortinet.com/document/fortigate/7.6.1/fortigate-6000-administration-guide/729353/vlan-i...

And third, after 7.2.x you can remove all member interfaces from the vlan switch/hard-switch/config system virtual-switch, to have an empty interface.


Toshi

JoseVold

Hello Toshi,

 

Thanks for the reply,

 

I see that I didn't ask this correctly, I am wondering why I cannot get the default switch VLAN 1 IP address 192.168.100.111/24 on the trunk. That is what trunks do. I was trying to avoid going through the long winded explaining the way VLANS work but here we go...

 

The problem here is that default and native terms are interchangeable meanings and I didn't specify vlan 1 (sorry)  Also so is the PVID and Access ports. This can be looked also as a default / native vlan let's look at the vlans in this manner. Devices that are unaware cannot determine what vlan they are going to be on. That is the job of the switch. So... if you use Cisco switch and create an access port. of 10 it is now the default/native/PVID and any PC connected or device that cannot set the TAG for this port will automatically get tagged with the default VLAN 10.

 

Now this device is on VLAN 10 and should get the correct IP subnet for that VLAN from the DHCP provided that one is configured. 

 

All switches and routers default vlan is 1.

 

So a trunk carries ALL VLANS including 1 which will have a subnet on it. 

 

This means that I should be able to take my PC and plug it into the trunk port without a vlan-id set on the PC and get VLAN 1 (Switch Default VLAN Subnet) because on this trunk portthe NATIVE is 1 

 

Lets go a little further. 

Fortigate >>> create interface vlan -switch 

set the VLAN ID  20. <<< Native for these ports not VLAN 1 for switch 

Set subnet 192.168.122.1/24

Add desired ports 4,5 <<< Native for these ports not VLAN 1 for switch 

set DHCP 

 

Do it again

Fortigate >>> create interface vlan -switch 

Set vlan id 30<<< Native for these ports not VLAN 1 for switch 

Subnet 192.168.222.1/24

add ports 6,7<<< Native for these ports not VLAN 1 for switch 

 

Now if you plug your PC that is UNAWARE of the vlan it will get the IP for the corresponding vlan as the port will be native however this will NOT happen in a trunk unless it is tagged.  If a device comes into this port untagged it should get the switch native VLAN 1 and the subset that ti is on.

 

My lan is a vlan-switch with 0 as the vlan ID on port 1 so this would be my default vlan 1 on the trunk port. I cannot remove the port 1 from the vlan switch.

 

So how do achieve this on a Fortigate in VLAN switch mode?

Toshi_Esumi

FGT's VLAN switch "trunk" port is NOT a general trunk port you're familiar with.
It (ASIC) is not designed to do what you're thinking it "should" do. It would just aggregate ONLY those native VLANs configured on VLAN switch interfaces I showed above.

Toshi

JoseVold

Ok thank you that is what I thought because there is no way this was this hard to do normally. I will just use subinterfaces then. definitely disappointing Thank you Toshi. 

Toshi_Esumi

I felt the same when I tested last few years with 6.4.x and 7.0.x. FTNT couldn't come up with a good terminology other than "trunk" when they developed this new feature with new chip.

Toshi

JoseVold

Wow yep cuz this is NOT a trunk. I gave up on FGNT a few years ago . I tried to come back but no way. LOL not driving me crazy with bugs and that never works. :)

JoseVold

HI Toshi,,

 

Can you advise on what the best most secure firmware is for this device? Thank you.

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors