Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jase888
New Contributor

VLAN setup advice?

I have setup a VLAN interface on internal 7 (Port7) but for some reason it then sets up another interface just for internal7 and it seems I need to set this up with ip address subnet, etc. Then if I connect a switch to that port and connect a pc it gives it the ip address of the internal 7 interface not the VLAN? 

 

So it looks like I don't even need a vlan I can just split the ports and set them up with different ip addreses and that acts as vlan? Is this correct? I need to split up 2 networks over our fortigate 60e with 1 WAN.

 

7 REPLIES 7
jase888
New Contributor

Looking at this article even thought its on an old fortigate it looks like I would give internal7 (port7) the ip address and leave VLAN ip settings blank? Is this correct if so unsure why you even create VLAN as its more the port that has lan settings

 

Sudarsan_Babu
Contributor

Hi,

 

Dont enable interface ip address in PORT 7. Keep 0.0.0.0/0.0.0.0 under that create VLAN . 

 

Need to enable VLAN in SWITCH also . 

Now you can see the VLAN address in from PORT 7 . 

 

Regards,

Sudarsan Babu P

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
jase888

ok thanks thats what ive done. However i cant enable VLAN in Switch as my switch is not a fortiswitch its just a regular unmanaged switch. Can this still be done?

Sudarsan_Babu

Hi,

 

You need to create VLAN Tag in fortigate . 

 

Please refer below article :

http://kb.fortinet.com/kb/viewContent.do?externalId=FD30883 

 

Regards,

Sudarsan Babu P

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
Toshi_Esumi
Esteemed Contributor III

Depending on what you meant by "need to split up 2 networks" and capability of your switch you have some options.

If both can be on the same broadcast domain, the first option is a secondary IP on Internal7. They can be non-tagged without vlans. But I don't recommend this unless your switch is not capable for trunk and access ports.

 

Then the other options are involving vlans as you figured. non-tagged + vlan-a as in the KB (a little outdated GUI) or vlan-a + vlan-b. As in the KB Sudarsan Babu P provided, vlan interface is an sub(child)interface of a parent/physical interface, in your case internal7. You need to complete configuration individually. Then in either case the switch port connected to internal7 needs to be a trunk port, and set an access port for the vlan for those devices, which don't talk vlan.

 

jase888

thanks, i ended up setting up a separate interface on internal7 and created a LAN on that and it seems completely seperate to my main network. Heres an image of it and didnt need any vlan, this look ok?

Toshi_Esumi
Esteemed Contributor III

I thought you needed to connect them from the same switch. If you just want to have a separate subnet on Internal7 while all the other ports (1 - 6) are in "internal" hard-switch, that's all you need. "internal" is just combined interface for the members you leave in. By default, all 7 of them are in it, but you can split them up to 7 separate interfaces and configure/connect different subnets without vlan tagging.

Top Kudoed Authors