Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: VLAN to VLAN?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN to VLAN?
Good afternoon. I have stated before that I do not proclaim to be a firewall expert. I have a Fortigate 110C that I am trying to give all users on a different VLAN have access to ONE address on another VLAN.
I have searched through my documentation and have not found answers on how to do this. I have created 2 polices that allow for all addresses on one VLAN to have access to the one address on the other VLAN and vise-verse.
What am I missing in this procedure? Any thoughts or recommendations?
Thanks in advance Peeps.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each vlan interface looks like another layer3 interface. So what is your problem and have you validate the policies are correct?
If you assigned a unique l3 subnet on each vlan interface, enable 802.1q on the switchport and have the users in the appropiate vlans, they they should beable to communicate.
diag debug flow is your friend, but I would 1st check layer2 and ensure clients in vlan xyz , can at least ping gateway ip_address of the fgt in vlan xyz and same for clients in vlan abc , can ping their respective gateway of the FGT in vlan abc.
note: rule out the lower layers before moving on.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc, Thanks for the reply. Sadly, I have to say that at the moment, I do not know the difference between level3 interface vs. a level2 or 1? Either way, I am trying to find whre the 802.1q enabling feature is. Is this done through the Network menu? I am going to investigate what you have written better tonight when I can look some definitions up and what not...so thank you for your reply.
I am not 100% I have the policies correct, but I am 80% sure. I say this, because I am not experienced enough to be confident in what I am doing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L3 = layer3 ( ip routing )
L2 = layer2
802.1q is a layer2 protocol and once you build the vlan' d subinterfaces you assigned layer3 information to them. The switchport that your on, need 802.1q enable and the appropiate vlans created
Here' s a FGT with a few layer3 subinterfaces built for port2
edit " PV_NET01"
set vdom " root"
set ip 10.200.210.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #1"
config ipv6
set ip6-address 2001:xx:xxa:4::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 50
next
edit " PV_NET02"
set vdom " root"
set ip 10.200.211.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #2"
config ipv6
set ip6-address 2001:xx:xxa:5::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 51
next
The Port 2 is set up for trunking on the switch side of things;
eg ( using the nexus we are plugged on )
interface Ethernet1/30
description mia-dc firewall fgt#1 port2
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 50,51
logging event port link-status
udld aggressive
Once you build the 802.1q subinterfaces on the FGT and then allowed vlan 802.1q on the physical switchpoprts. You apply L3 fwpolicy just like any other interface.
btw: I like to use names on my subinterfaces or make references to the vlan;
e.g I could have written it like;
re' s a FGT with a few layer3 subinterfaces built for port2
edit " vlan50"
set vdom " root"
set ip 10.200.210.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #1"
config ipv6
set ip6-address 2001:xx:xxa:4::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 50
next
edit " vlan51"
set vdom " root"
set ip 10.200.211.1 255.255.254.0
set allowaccess ping https ssh
set description " misc network #2"
config ipv6
set ip6-address 2001:xx:xxa:5::1/64
set ip6-allowaccess ping https ssh
end
set interface " port2"
set vlanid 51
next
etc.....
I hope that make better sense and clears up the picture.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc,
I am just now getting back to trying to resolve this problem. The nature of my business has not allowed for me to focus on this at the moment..
So now, I am back. As I read through the CLI config, I realized that you are possibly using the unit in switch mode.
I am currently using the unit in interface mode.
Am I just misunderstanding?
Thanks,
J
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
i have issue with VLAN,
i have blade switch connected to cisco catalyst switch 2970,and this switch(2970)connected to fortigate 310-b with 2 ports, with blade switch i setup port connected to Cisco switch as trunk,what should i do in cisco switch and in FG that connected to cisco switch with 2 ports..?
Regards
Osaid suliebi
Network Administrator
Palestine Exchange
Osaid suliebi Network Administrator Palestine Exchange
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
looks like you are in interface mode..
Where are your VLANs connected? (Which Port? Where do the Users/VLANs reside - on a other switch?
Which VLANs should communicate?
" Normally" :
Userports are on a seperate VLAN aware switch (Cisco, Alcatel, HP, you name it).
- You connect one Uplink from the switch to the fortigate and tag (802.1q) all Vlans you want to have run through the fortigate-
- create VLAN Subinterface on the port of the Fortigate, that connects the above tagged port (for each Network->Interface->Create New on the corresponding HW Interface. VLAN ID is the VLAN Number)
- Have each VLAN Interface with an IP Adress from the VLAN (ideally make it the default Gateway for the subnet, otherwise have routes for the other subnets on each Client)
- Create Policys
VLAN1 Source IP: IP Network of VLAN1 -> VLAN 10 (Special IP)
VLAN2 Source IP: IP Network of VLAN2 -> VLAN 10 (Special IP)
VLAN3 Source IP: IP Network of VLAN3 -> VLAN 10 (Special IP)
...
You do only need the way Back (VLAN 10 -> VLAN 1-X) when you have connections build up from the Special IP.
You could probably use the any interface (Any -> Special IP), but i dislike that.
hth
Labels
-
FortiGate
10,807 -
FortiClient
2,214 -
FortiManager
906 -
FortiAnalyzer
691 -
5.2
687 -
5.4
638 -
FortiSwitch
598 -
FortiClient EMS
585 -
FortiAP
569 -
IPsec
446 -
6.0
416 -
SSL-VPN
394 -
FortiMail
380 -
5.6
362 -
FortiNAC
299 -
FortiWeb
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
208 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
120 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
94 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
Routing
79 -
SAML
78 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2727 | |
| 1417 | |
| 810 | |
| 738 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.