Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jefazo92
New Contributor II

Why is the same IP address assigned for VLAN Switch interfaces in FG-100F?

Hi,

 

I have an FG-100 with factory settings. When I go to Network -> Interfaces, I notice that there is only one IP assigned for all 20 VLAN Switch interfaces. Why is this so? The FG-100F is a layer 3 switch so every interface should have a different IP and MAC address (even a layer 2 switch should have every interface with a different MAC address). Please, would someone mind helping me understand what is going on here? 

5 REPLIES 5
ebilcari
Staff
Staff

The interfaces are part of the hardware switch, that works as a L2 device attached to the FGT for easy deployment in small branches. The interfaces can be easily removed from the HW SW and used independently as routed ports like shown here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
jefazo92
New Contributor II

Thank you very much for your reply. When I remove the interface from the list in VLAN Switch group, the interface goes to the Physical Interface group. However, how may I assign my interface as a routed port? What are the next steps to follow? Do I only have to add a static IP to make it routable or do I need a new group for the interface?

 

P. S. In the context of your reply, are the interfaces in the VLAN group considered to be the interfaces for L2? I ask this because VLAN is a functionality of a L2 switch which I may not want to use. I will probably want to use L2 interfaces to do "normal" L2 switching. 

ebilcari

Yes, assigning an IP to the interface will make it work as a routed interface, no extra steps required. Remember that FGT is a firewall and you need to add firewall policies (usually for each interface) to allow traffic.

 

FGT supports both the sub interface and L2 VLAN (HW/SW switch) approach. As per other vendors, sub interface (tagged traffic) VLAN, is locally significant to that (routed) interface and is not spanned. HW/SW switch share the same L2 broadcast domain.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
jefazo92
New Contributor II

Thank you very much again. Please would you mind to explain more reagarding your last paragraph, I having trouble to see how it relates to whether the VLAN Switch interfaces also refer to normal non-VLAN L2 switch traffic:

 

"FGT supports both the sub interface and L2 VLAN (HW/SW switch) approach. As per other vendors, sub interface (tagged traffic) VLAN, is locally significant to that (routed) interface and is not spanned."

ebilcari

You can create a sub interface (Type VLAN) under a physical interface that will accept only tagged traffic to a specific VLANs like shown below. This is usually used to connect the uplink of a switch with many VLANs. In this configuration the L2 broadcast domain ends here, the VLANs are not spanned to the other interfaces of FGT, only L3/IP traffic will be routed (known as router-on-a-stick).

sub-interface.PNG

 

In case where two hosts or physical switches need to span the VLANs (L2 broadcast domain) through FGT you need to configure a hardware switch.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors