I need to perform routing on a stick with Cisco switches, so I need to create vlans on my Fortigate interfaces.
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30883
Reviewed the above link/article - but what is interesting - an IP is already assigned at the physical interface. Does that IP and physical interface get bonded to vlan1 untagged? Noticed how the instructions use 'vlanid 100', which I would suspect be applying the vlan 100 tag on the 802.1Q port.
I do not have a lab to play/test this; however, I want to minimize the possibility in advance of running into a 'vlan 1 mismatch'.
What I am thinking, that NO IP address should be applied at the physical interface, and only IP addresses applied on sub interfaces, which would make sense if this was Cisco and their concept of SVI.
What is the best way to tag vlans on the Fortigate when needing to provide routing on a stick capability for Cisco and some HP switches.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Follow the KB and address already or assigned to the interface would untagged and follow the cisco native vlan for that port it's connected with.
So defined your trunk port and allow vlan and cfg the vlan-id on the FGT.
Ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:Do you know if Fortigate has the SVI concept, where you can make subinterfaces with IP address assigned? IMHO I do not find the Fortigate KB very helpful beyond the "lets get going" level for quick startup. Not to mention I have not been able to find a good (Cisco 2 Fortigate) speak translation in concepts; however, I am new to Fortigate, but it seems to be a good product.Follow the KB and address already or assigned to the interface would untagged and follow the cisco native vlan for that port it's connected with.
So defined your trunk port and allow vlan and cfg the vlan-id on the FGT.
Ken Felix
Mismatch native VLAN alarm is just that, an alarm. It still functions, but potentially bridges networks that are meant to be separated if you do it wrong. Think of your ISP handoff....you use untagged VLAN whatever, but the ISP may use untagged VLAN something else on their side. It doesn't matter in this case as the networks are intentionally bridged.
But yes, the physical interface is always untagged. I think that's what Sebastian was trying to tell you by saying the VLAN is always a virtual (or sub-) interface. FortiGate SVI isn't exactly like Cisco in the sense that it can't be attached to multiple physical interfaces, but instead is bonded to the single physical interface it is created on.
It seems like you need to trust your understanding of it as you seem to have all the concepts correct from what I can see.
lobstercreed wrote:Ok much appreciated! I will have to dig through the Fortigate, because the 'potentially bridges networks' is a big issue in my case in this deployment.Mismatch native VLAN alarm is just that, an alarm. It still functions, but potentially bridges networks that are meant to be separated if you do it wrong. Think of your ISP handoff....you use untagged VLAN whatever, but the ISP may use untagged VLAN something else on their side. It doesn't matter in this case as the networks are intentionally bridged.
But yes, the physical interface is always untagged. I think that's what Sebastian was trying to tell you by saying the VLAN is always a virtual (or sub-) interface. FortiGate SVI isn't exactly like Cisco in the sense that it can't be attached to multiple physical interfaces, but instead is bonded to the single physical interface it is created on.
It seems like you need to trust your understanding of it as you seem to have all the concepts correct from what I can see.
However, thank you for your insight!
basically a vlan on a fortigate is always threated as a virtual interface. That is just bond to a physical interface.
So the physical interface stays on its own and can have its ownb ip and policies etc. Same for the vlan interface.
Also vlans on FGT are always tagged.
So if traffic reaches the physical interace and is tagged with the vid of your vlan it will go to the virtual interface...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
You can absolutely use the physical interface as well as the virtual ones. FortiGate will send/receive packets through it untagged, so it doesn't matter what VLAN ID you configure as native/untagged on the other side (Cisco switch).
Since people get hung up on how to do this properly though, it's not a bad idea to leave no IP and not use the interface for untagged traffic at all. It might make it easier for the person after you.
lobstercreed wrote:I am not sure that is 100% true with what you say "so it doesn't matter what VLAN ID you configure as native/untagged on the other side (Cisco switch)". I have seen where this could lead to a mismatch vlan alarm on the Cisco side.You can absolutely use the physical interface as well as the virtual ones. FortiGate will send/receive packets through it untagged, so it doesn't matter what VLAN ID you configure as native/untagged on the other side (Cisco switch).
Since people get hung up on how to do this properly though, it's not a bad idea to leave no IP and not use the interface for untagged traffic at all. It might make it easier for the person after you.
So are you saying that the top level is always untagged? Looking at the KB it appears that way and how the tag is not applied.
sw2090 wrote:You confuse me!basically a vlan on a fortigate is always threated as a virtual interface. That is just bond to a physical interface.
So the physical interface stays on its own and can have its ownb ip and policies etc. Same for the vlan interface.
Also vlans on FGT are always tagged.
So if traffic reaches the physical interace and is tagged with the vid of your vlan it will go to the virtual interface...
The KB shows the vlanid only being applied to the subinterface, and not the top level. Cisco has a concept called SVI, does Fortigate have that concept?
yes the vlanid is only applied to the subinterface. The word "untagged" is somehow confusing. Because on switches it usually doesn't mean there is no vlan tag on that traffic. On most switches "untagged" indeed means that all traffic that doesnt have a vlan tag or has vlan tag that doesn't match any vlan that is tagged on that port will be re-tagged to the "untagged" vlan.
On a FGT it means traffic that has a vlan id matching a vlan subinterface will hit the subinterface and traffic coming from vlan subinterface will be tagged with that subinterface's vlan id. All other traffic will not get a vlan tag at all on the FGT and will hit the physical interface then (Or come from there).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.