Fortinet black logo

Administration Guide

Virtual VLAN switch

Virtual VLAN switch

The hardware switch ports on FortiGate models that support virtual VLAN switches can be used as a layer 2 switch. Virtual VLAN switch mode allows 802.1Q VLANs to be assigned to ports, and the configuration of one interface as a trunk port.

The following FortiGate series are supported in FortiOS 7.0: 60F, 80F, 100E, 100F, 140E, 200F, 300E, 400E, 1100E, 1800F, 2600F, 3000F, 3500F, 4200F, and 4400F.

The virtual-switch-vlan option must be enabled in the CLI to configure VLAN switch mode from the GUI or CLI.

To enable VLAN switches:
config system global
    set virtual-switch-vlan enable
end

After this setting is enabled, any previously configured hardware switches will appear in the Network > Interfaces page under VLAN Switch.

To enable VLAN switch mode in the GUI:
  1. Go to System > Settings.
  2. In the View Settings section, enable VLAN switch mode.
  3. Click Apply.

Basic configurations

Hardware switch ports can be configured as either a VLAN switch port or a trunk port. The available interfaces and allowable VLAN IDs that can be used depend on the FortiGate model. It is recommended to remove ports from the default VLAN switch before you begin configurations.

To create a new VLAN and assign ports in the GUI:
  1. Go to Network > Interfaces and click Create New > Interface.
  2. Enter a name and configure the following:
    1. Set the Type to VLAN Switch.
    2. Enter a VLAN ID.
    3. Click the + and add the Interface Members.
    4. Configure the Address and Administrative Access settings as needed.
  3. Click OK.
To create a new VLAN and assign ports in the CLI:
  1. Configure the VLAN:
    config system virtual-switch
        edit "VLAN10"
            set physical-switch "sw0"
            set vlan 10
            config port
                edit "internal1"
                next
                edit "internal2"
                next
            end
        next
    end
  2. Configure the VLAN switch interface addressing:
    config system interface
        edit "VLAN10"
            set vdom "root"
            set ip 192.168.10.99 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type hard-switch
        next
    end
To designate an interface as a trunk port:
config system interface
    edit internal5
        set trunk enable   
    next
end

Example 1: HA using a VLAN switch

In this example, two FortiGates in an HA cluster are connected to two ISP routers. Instead of connecting to external L2 switches, each FortiGate connects to each ISP router on the same hardware switch port on the same VLAN. A trunk port connects the two FortiGates to deliver the 802.1Q tagged traffic to the other. A full mesh between the FortiGate cluster and the ISP routers is achieved where no single point of failure will cause traffic disruptions.

This example assumes that the HA settings are already configured. The interface and VLAN switch settings are identical between cluster members and synchronized. See HA using a hardware switch to replace a physical switch for a similar example that does not use a VLAN switch.

To configure the VLAN switches:
  1. Configure the ISP interfaces with the corresponding VLAN IDs:
    config system virtual-switch
        edit "ISP1"
            set physical-switch "sw0"
            set vlan 2951
            config port
                edit "port1"
                next
            end
        next
        edit "ISP2"
            set physical-switch "sw0"
            set vlan 2952
            config port
                edit "port2"
                next
            end
        next
    end
  2. Configure the VLAN switch interface addressing:
    config system interface
        edit "ISP1"
            set vdom "root"
            set ip 192.168.10.99 255.255.255.0
            set allowaccess ping 
            set type hard-switch
        next
        edit "ISP2"
            set vdom "root"
            set ip 192.168.20.99 255.255.255.0
            set allowaccess ping 
            set type hard-switch
        next
    end
  3. Designate port15 as the trunk port:
    config system interface
        edit port15
            set trunk enable   
        next
    end
  4. Configure firewall policies to allow outgoing traffic on the ISP1 and ISP2 interfaces:
    config firewall policy
        edit 1
            set srcintf "port11"
            set dstintf "ISP1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
        edit 2
            set srcintf "port11"
            set dstintf "ISP2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Example 2: LAN extension

In this example, two hardware switch ports are assigned VLAN10, and two ports are assigned VLAN20 on FortiGate B. The wan2 interface is designated as the trunk port, and is connected to the upstream FortiGate A. The corresponding VLAN subinterfaces VLAN10 and VLAN20 on the upstream FortiGate allow further access to other networks.

Note

The available interfaces and VLAN IDs varies between FortiGate models. The FortiGate B in this example is a 60F model.

To configure FortiGate B:
  1. Configure the VLAN interfaces:
    config system virtual-switch
        edit "VLAN10"
            set physical-switch "sw0"
            set vlan 10
            config port
                edit "internal1"
                next
                edit "internal2"
                next
            end
        next
        edit "VLAN20"
            set physical-switch "sw0"
            set vlan 20
            config port
                edit "internal3"
                next
                edit "internal4"
                next
            end
        next
    end
  2. Configure the VLAN switch interface addressing:
    config system interface
        edit "VLAN10"
            set vdom "root"
            set ip 192.168.10.99 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type hard-switch
        next
        edit "VLAN20"
            set vdom "root"
            set ip 192.168.20.99 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type hard-switch
        next
    end
  3. Designate wan2 as the trunk port:
    config system interface
        edit wan2
            set trunk enable   
        next
    end
To configure FortiGate A:
  1. Configure the VLAN subinterfaces:
    config system interface
        edit "VLAN10"
            set ip 192.168.10.98 255.255.255.0
            set allowaccess ping https ssh
            set role lan
            set interface "dmz"
            set vlanid 10
        next
        edit "VLAN20"
            set ip 192.168.20.98 255.255.255.0
            set allowaccess ping https ssh
            set role lan
            set interface "dmz"
            set vlanid 20
        next
    end
  2. Configure the DHCP server on VLAN10:
    config system dhcp server
        edit 0
            set dns-service default
            set default-gateway 192.168.10.98
            set netmask 255.255.255.0
            set interface "VLAN10 "
            config ip-range
                edit 1
                    set start-ip 192.168.10.100
                    set end-ip 192.168.10.254
                next
            end
            set timezone-option default
        next
    end
  3. Configure firewall policies that allow traffic from the VLAN10 and VLAN20 interfaces to the internet:
    config firewall policy
        edit 0
            set name "VLAN10-out"
            set srcintf "VLAN10"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
        edit 0
            set name "VLAN20-out"
            set srcintf "VLAN20"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To test the connection:
  1. Connect a PC to internal1 on FortiGate B.
  2. Verify that it receives an IP address from FortiGate A’s DHCP server.
  3. From the PC, ping FortiGate B on 192.168.10.99.
  4. Ping FortiGate A on 192.168.10.98.
  5. Connect to the internet. Traffic is allowed by the VLAN10-out policy.

Virtual VLAN switch

The hardware switch ports on FortiGate models that support virtual VLAN switches can be used as a layer 2 switch. Virtual VLAN switch mode allows 802.1Q VLANs to be assigned to ports, and the configuration of one interface as a trunk port.

The following FortiGate series are supported in FortiOS 7.0: 60F, 80F, 100E, 100F, 140E, 200F, 300E, 400E, 1100E, 1800F, 2600F, 3000F, 3500F, 4200F, and 4400F.

The virtual-switch-vlan option must be enabled in the CLI to configure VLAN switch mode from the GUI or CLI.

To enable VLAN switches:
config system global
    set virtual-switch-vlan enable
end

After this setting is enabled, any previously configured hardware switches will appear in the Network > Interfaces page under VLAN Switch.

To enable VLAN switch mode in the GUI:
  1. Go to System > Settings.
  2. In the View Settings section, enable VLAN switch mode.
  3. Click Apply.

Basic configurations

Hardware switch ports can be configured as either a VLAN switch port or a trunk port. The available interfaces and allowable VLAN IDs that can be used depend on the FortiGate model. It is recommended to remove ports from the default VLAN switch before you begin configurations.

To create a new VLAN and assign ports in the GUI:
  1. Go to Network > Interfaces and click Create New > Interface.
  2. Enter a name and configure the following:
    1. Set the Type to VLAN Switch.
    2. Enter a VLAN ID.
    3. Click the + and add the Interface Members.
    4. Configure the Address and Administrative Access settings as needed.
  3. Click OK.
To create a new VLAN and assign ports in the CLI:
  1. Configure the VLAN:
    config system virtual-switch
        edit "VLAN10"
            set physical-switch "sw0"
            set vlan 10
            config port
                edit "internal1"
                next
                edit "internal2"
                next
            end
        next
    end
  2. Configure the VLAN switch interface addressing:
    config system interface
        edit "VLAN10"
            set vdom "root"
            set ip 192.168.10.99 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type hard-switch
        next
    end
To designate an interface as a trunk port:
config system interface
    edit internal5
        set trunk enable   
    next
end

Example 1: HA using a VLAN switch

In this example, two FortiGates in an HA cluster are connected to two ISP routers. Instead of connecting to external L2 switches, each FortiGate connects to each ISP router on the same hardware switch port on the same VLAN. A trunk port connects the two FortiGates to deliver the 802.1Q tagged traffic to the other. A full mesh between the FortiGate cluster and the ISP routers is achieved where no single point of failure will cause traffic disruptions.

This example assumes that the HA settings are already configured. The interface and VLAN switch settings are identical between cluster members and synchronized. See HA using a hardware switch to replace a physical switch for a similar example that does not use a VLAN switch.

To configure the VLAN switches:
  1. Configure the ISP interfaces with the corresponding VLAN IDs:
    config system virtual-switch
        edit "ISP1"
            set physical-switch "sw0"
            set vlan 2951
            config port
                edit "port1"
                next
            end
        next
        edit "ISP2"
            set physical-switch "sw0"
            set vlan 2952
            config port
                edit "port2"
                next
            end
        next
    end
  2. Configure the VLAN switch interface addressing:
    config system interface
        edit "ISP1"
            set vdom "root"
            set ip 192.168.10.99 255.255.255.0
            set allowaccess ping 
            set type hard-switch
        next
        edit "ISP2"
            set vdom "root"
            set ip 192.168.20.99 255.255.255.0
            set allowaccess ping 
            set type hard-switch
        next
    end
  3. Designate port15 as the trunk port:
    config system interface
        edit port15
            set trunk enable   
        next
    end
  4. Configure firewall policies to allow outgoing traffic on the ISP1 and ISP2 interfaces:
    config firewall policy
        edit 1
            set srcintf "port11"
            set dstintf "ISP1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
        edit 2
            set srcintf "port11"
            set dstintf "ISP2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Example 2: LAN extension

In this example, two hardware switch ports are assigned VLAN10, and two ports are assigned VLAN20 on FortiGate B. The wan2 interface is designated as the trunk port, and is connected to the upstream FortiGate A. The corresponding VLAN subinterfaces VLAN10 and VLAN20 on the upstream FortiGate allow further access to other networks.

Note

The available interfaces and VLAN IDs varies between FortiGate models. The FortiGate B in this example is a 60F model.

To configure FortiGate B:
  1. Configure the VLAN interfaces:
    config system virtual-switch
        edit "VLAN10"
            set physical-switch "sw0"
            set vlan 10
            config port
                edit "internal1"
                next
                edit "internal2"
                next
            end
        next
        edit "VLAN20"
            set physical-switch "sw0"
            set vlan 20
            config port
                edit "internal3"
                next
                edit "internal4"
                next
            end
        next
    end
  2. Configure the VLAN switch interface addressing:
    config system interface
        edit "VLAN10"
            set vdom "root"
            set ip 192.168.10.99 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type hard-switch
        next
        edit "VLAN20"
            set vdom "root"
            set ip 192.168.20.99 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type hard-switch
        next
    end
  3. Designate wan2 as the trunk port:
    config system interface
        edit wan2
            set trunk enable   
        next
    end
To configure FortiGate A:
  1. Configure the VLAN subinterfaces:
    config system interface
        edit "VLAN10"
            set ip 192.168.10.98 255.255.255.0
            set allowaccess ping https ssh
            set role lan
            set interface "dmz"
            set vlanid 10
        next
        edit "VLAN20"
            set ip 192.168.20.98 255.255.255.0
            set allowaccess ping https ssh
            set role lan
            set interface "dmz"
            set vlanid 20
        next
    end
  2. Configure the DHCP server on VLAN10:
    config system dhcp server
        edit 0
            set dns-service default
            set default-gateway 192.168.10.98
            set netmask 255.255.255.0
            set interface "VLAN10 "
            config ip-range
                edit 1
                    set start-ip 192.168.10.100
                    set end-ip 192.168.10.254
                next
            end
            set timezone-option default
        next
    end
  3. Configure firewall policies that allow traffic from the VLAN10 and VLAN20 interfaces to the internet:
    config firewall policy
        edit 0
            set name "VLAN10-out"
            set srcintf "VLAN10"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
        edit 0
            set name "VLAN20-out"
            set srcintf "VLAN20"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
To test the connection:
  1. Connect a PC to internal1 on FortiGate B.
  2. Verify that it receives an IP address from FortiGate A’s DHCP server.
  3. From the PC, ping FortiGate B on 192.168.10.99.
  4. Ping FortiGate A on 192.168.10.98.
  5. Connect to the internet. Traffic is allowed by the VLAN10-out policy.