Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support QinQ with the switch controller 7.6.1

    Support QinQ with the switch controller 7.6.1

    The FortiOS switch controller now supports QinQ. With QinQ, each client of a managed security service provider (MSSP) can have a unique customer VLAN with a self-managed 4k VLAN range in its own virtual domain. QinQ allows better segregation and control over network traffic.

    QinQ allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

    Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). Use the default (0x8100) VLAN TPID profile to reach layer 3. The default VLAN TPID profile (0x8100) cannot be deleted or changed.

    Note

    To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.
    tooltip icon

    The following features are not supported with QinQ:

    • DHCP relay
    • DHCP snooping
    • IGMP snooping
    • IP source guard
    • PVLAN
    • STP
    Note

    Settings under config QinQ are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).
    To configure QinQ with the switch controller:

    1. Using the FortiOS CLI, create a separate VDOM for each customer.

    2. Using the FortiOS CLI, create VLANs for each customer and assign the VLANs to the appropriate VDOM.

    3. Using the FortiOS CLI, configure QinQ for the managed switch port that will be used by the customerʼs VLANs.

    Create a VDOM for each customer

    Use the FortiOS CLI to configure a separate VDOM for each customer. For example:

    config vdom

    edit root

    next

    edit vdom1

    next

    end

    Create VLANs for each customer

    Use the FortiOS CLI to create VLANs foreach customer and assign the VLANs to the appropriate VDOM.

    The S-VLAN must be configured on the same VDOM where the FortiLink interface is; for example, if the FortiLink interface is on the root VDOM, all S-VLANs must be defined in the root VDOM.

    In the following example, three VLANs are created and then assigned to the same VDOM:

    config system interface

    edit "c1.svlan999"

    set vdom "root"

    set device-identification enable

    set role lan

    set snmp-index 52

    set interface "fortilink"

    set vlanid 999

    next

    end

    config system interface

    edit "c1.cvlan10"

    set vdom "root"

    set ip 15.1.1.1 255.255.255.0

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 53

    set interface "c1.svlan999"

    set vlanid 10

    next

    end

    config system interface

    edit "c1.cvlan20"

    set vdom "root"

    set ip 16.1.1.1. 255.255.255.0

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 54

    set interface "c1.svlan999"

    set vlanid 20

    next

    end

    In the following example, three VLANs are created and then assigned to the root or vdom1 VDOM:

    config system interface

    edit "909824.1"

    set vdom "vdom1"

    set interface "fortilink"

    set vlanid 3000

    next

    end

    config system interface

    edit "1.vlan1"

    set vdom "root"

    set interface "909824.1"

    set vlanid 1

    next

    end

    config system interface

    edit "1.vlan2"

    set vdom "root"

    set interface "909824.1"

    set vlanid 2

    next

    end

    Configure QinQ with the switch controller

    Use the FortiOS CLI to configure QinQ for the managed switch port that will be used by the customerʼs VLANs. In the following example, QinQ is enabled on port10 of the managed switch:

    config switch-controller managed-switch

    edit "S248EPTF18001384"

    config ports

    edit "port10"

    set qnq "909824.1"

    set vlan "1.vlan1"

    set allowed-vlans "1.vlan2"

    next

    end

    next

    end

    If you enable the set allowed-vlans-all command when QinQ is enabled, all C-VLANs in that VDOM that have the same parent interface as the set qnq VLAN are pushed. In the following example, all C-VLANs in the root VDOM with svlan100 as the parent interface are pushed:

    config switch-controller managed-switch

    edit S548DN5018000532

    config ports

    edit "port16"

    set vlan "cv_sv_50"

    set allowed-vlans-all enable

    set export-to "root"

    set mac-addr 70:4c:a5:a5:9d:59

    set qnq "svlan100"

    next

    end

    next

    end

    Configuration example

    In this example, there are two customers. Customer c1 is assigned a customer tag of 3000 and VLANs 1-4094. Customer c2 is assigned a customer tag of 3001 and VLANs 1-4094.

    1. Use the FortiOS CLI to create separate VDOMs for the two customers, c1 and c2.

      config vdom

      edit root

      next

      edit c1

      next

      edit c2

      next

      end

    2. Use the FortiOS CLI to create VLANs for each customer and assign the VLANs to the appropriate VDOM. In this example, you create three VLANs for customer c1 and three VLANs for customer c2.

      config system interface

      edit "fortilink"

      set fortilink enable

      next

      edit "customer.c1"

      set vdom "root"

      set interface "fortilink"

      set vlanid 3000

      next

      edit "customer.c2"

      set vdom "root"

      set interface "fortilink"

      set vlanid 3001

      next

      edit "c1.vlan1"

      set vdom "c1"

      set interface "customer.c1"

      set vlanid 1

      next

      edit "c1.vlan10"

      set vdom "c1"

      set interface "customer.c1"

      set vlanid 10

      next

      edit "c1.vlan20"

      set vdom "c1"

      set interface "customer.c1"

      set vlanid 20

      next

      edit "c2.vlan1"

      set vdom "c2"

      set interface "customer.c2"

      set vlanid 1

      next

      edit "c2.vlan10"

      set vdom "c2"

      set interface "customer.c2"

      set vlanid 10

      next

      edit "c2.vlan20"

      set vdom "c2"

      set interface "customer.c2"

      set vlanid 20

      next

      end

    3. Use the FortiOS CLI to configure QinQ for the managed switch port (port8) that will be used by the VLANs (1, 10, and 20) for customer c1.

      config switch-controller managed-switch

      edit "S108DV3A17000077"

      config ports

      edit "port8"

      set qnq "customer.c1"

      set vlan "c1.vlan1"

      set allowed-vlans "c1.vlan10" "c1.vlan20"

      next

      end

      next

      end

    4. Use the FortiOS CLI to configure QinQ for the managed switch port (port9) that will be used by the VLANs (1, 10, and 20) for customer c2

      config switch-controller managed-switch

      edit "S548DF5018000776"

      config ports

      edit "port9"

      set qnq "customer.c2"

      set vlan "c2.vlan1"

      set allowed-vlans "c2.vlan10" "c2.vlan20"

      next

      end

      next

      end

    Previous
    Next

    Support QinQ with the switch controller 7.6.1

    Support QinQ with the switch controller 7.6.1

    The FortiOS switch controller now supports QinQ. With QinQ, each client of a managed security service provider (MSSP) can have a unique customer VLAN with a self-managed 4k VLAN range in its own virtual domain. QinQ allows better segregation and control over network traffic.

    QinQ allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

    Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). Use the default (0x8100) VLAN TPID profile to reach layer 3. The default VLAN TPID profile (0x8100) cannot be deleted or changed.

    Note

    To see which FortiSwitch models support this feature, refer to the FortiSwitch feature matrix.
    tooltip icon

    The following features are not supported with QinQ:

    • DHCP relay
    • DHCP snooping
    • IGMP snooping
    • IP source guard
    • PVLAN
    • STP
    Note

    Settings under config QinQ are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).
    To configure QinQ with the switch controller:

    1. Using the FortiOS CLI, create a separate VDOM for each customer.

    2. Using the FortiOS CLI, create VLANs for each customer and assign the VLANs to the appropriate VDOM.

    3. Using the FortiOS CLI, configure QinQ for the managed switch port that will be used by the customerʼs VLANs.

    Create a VDOM for each customer

    Use the FortiOS CLI to configure a separate VDOM for each customer. For example:

    config vdom

    edit root

    next

    edit vdom1

    next

    end

    Create VLANs for each customer

    Use the FortiOS CLI to create VLANs foreach customer and assign the VLANs to the appropriate VDOM.

    The S-VLAN must be configured on the same VDOM where the FortiLink interface is; for example, if the FortiLink interface is on the root VDOM, all S-VLANs must be defined in the root VDOM.

    In the following example, three VLANs are created and then assigned to the same VDOM:

    config system interface

    edit "c1.svlan999"

    set vdom "root"

    set device-identification enable

    set role lan

    set snmp-index 52

    set interface "fortilink"

    set vlanid 999

    next

    end

    config system interface

    edit "c1.cvlan10"

    set vdom "root"

    set ip 15.1.1.1 255.255.255.0

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 53

    set interface "c1.svlan999"

    set vlanid 10

    next

    end

    config system interface

    edit "c1.cvlan20"

    set vdom "root"

    set ip 16.1.1.1. 255.255.255.0

    set allowaccess ping

    set device-identification enable

    set role lan

    set snmp-index 54

    set interface "c1.svlan999"

    set vlanid 20

    next

    end

    In the following example, three VLANs are created and then assigned to the root or vdom1 VDOM:

    config system interface

    edit "909824.1"

    set vdom "vdom1"

    set interface "fortilink"

    set vlanid 3000

    next

    end

    config system interface

    edit "1.vlan1"

    set vdom "root"

    set interface "909824.1"

    set vlanid 1

    next

    end

    config system interface

    edit "1.vlan2"

    set vdom "root"

    set interface "909824.1"

    set vlanid 2

    next

    end

    Configure QinQ with the switch controller

    Use the FortiOS CLI to configure QinQ for the managed switch port that will be used by the customerʼs VLANs. In the following example, QinQ is enabled on port10 of the managed switch:

    config switch-controller managed-switch

    edit "S248EPTF18001384"

    config ports

    edit "port10"

    set qnq "909824.1"

    set vlan "1.vlan1"

    set allowed-vlans "1.vlan2"

    next

    end

    next

    end

    If you enable the set allowed-vlans-all command when QinQ is enabled, all C-VLANs in that VDOM that have the same parent interface as the set qnq VLAN are pushed. In the following example, all C-VLANs in the root VDOM with svlan100 as the parent interface are pushed:

    config switch-controller managed-switch

    edit S548DN5018000532

    config ports

    edit "port16"

    set vlan "cv_sv_50"

    set allowed-vlans-all enable

    set export-to "root"

    set mac-addr 70:4c:a5:a5:9d:59

    set qnq "svlan100"

    next

    end

    next

    end

    Configuration example

    In this example, there are two customers. Customer c1 is assigned a customer tag of 3000 and VLANs 1-4094. Customer c2 is assigned a customer tag of 3001 and VLANs 1-4094.

    1. Use the FortiOS CLI to create separate VDOMs for the two customers, c1 and c2.

      config vdom

      edit root

      next

      edit c1

      next

      edit c2

      next

      end

    2. Use the FortiOS CLI to create VLANs for each customer and assign the VLANs to the appropriate VDOM. In this example, you create three VLANs for customer c1 and three VLANs for customer c2.

      config system interface

      edit "fortilink"

      set fortilink enable

      next

      edit "customer.c1"

      set vdom "root"

      set interface "fortilink"

      set vlanid 3000

      next

      edit "customer.c2"

      set vdom "root"

      set interface "fortilink"

      set vlanid 3001

      next

      edit "c1.vlan1"

      set vdom "c1"

      set interface "customer.c1"

      set vlanid 1

      next

      edit "c1.vlan10"

      set vdom "c1"

      set interface "customer.c1"

      set vlanid 10

      next

      edit "c1.vlan20"

      set vdom "c1"

      set interface "customer.c1"

      set vlanid 20

      next

      edit "c2.vlan1"

      set vdom "c2"

      set interface "customer.c2"

      set vlanid 1

      next

      edit "c2.vlan10"

      set vdom "c2"

      set interface "customer.c2"

      set vlanid 10

      next

      edit "c2.vlan20"

      set vdom "c2"

      set interface "customer.c2"

      set vlanid 20

      next

      end

    3. Use the FortiOS CLI to configure QinQ for the managed switch port (port8) that will be used by the VLANs (1, 10, and 20) for customer c1.

      config switch-controller managed-switch

      edit "S108DV3A17000077"

      config ports

      edit "port8"

      set qnq "customer.c1"

      set vlan "c1.vlan1"

      set allowed-vlans "c1.vlan10" "c1.vlan20"

      next

      end

      next

      end

    4. Use the FortiOS CLI to configure QinQ for the managed switch port (port9) that will be used by the VLANs (1, 10, and 20) for customer c2

      config switch-controller managed-switch

      edit "S548DF5018000776"

      config ports

      edit "port9"

      set qnq "customer.c2"

      set vlan "c2.vlan1"

      set allowed-vlans "c2.vlan10" "c2.vlan20"

      next

      end

      next

      end

    Previous
    Next