Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Enhance network performance with VLAN pruning 7.6.1

    Enhance network performance with VLAN pruning 7.6.1

    Starting in FortiOS 7.6.1 with FortiSwitchOS 7.6.1, the FortiOS switch controller supports VLAN pruning. VLAN pruning prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link (ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, VLAN pruning eliminates the time spent on manual VLAN pruning and reduces the chance of errors. By default, VLAN pruning is disabled.

    To enable VLAN pruning in FortiOS:

    config switch-controller global

    set vlan-optimization prune

    end

    To disable VLAN pruning in FortiOS:

    config switch-controller global

    set vlan-optimization {configured | none}

    end

    To display all VLANs learned using VLAN pruning on a FortiSwitch unit:

    diagnose switch vlan-pruning dynamic-vlan list [<interface_name>]

    For example:

    diagnose switch vlan-pruning dynamic-vlan list port10

    Note

    Although FortiOS leverages the Generic VLAN Registration Protocol (GVRP) message format to exchange internal control packets for the VLAN-pruning feature, the firmware is currently not fully compliant with the IEEE 802.1r-based standard GVRP specification.
    To display the received and transmitted counters with GVRP-formatted messages on a FortiSwitch unit:

    diagnose switch vlan-pruning protocol-packet stats [<interface_name>]

    For example:

    FS1E48T422005187 # diagnose switch vlan-pruning protocol-packet stats

    Receive(RX) and transmit(TX) counters for GVRP vlan states

    RX: JE JI LE LI LA E

    TX: JE JI LE LI LA E

    JE: JoinEmpty JI: JoinIn LE: LeaveEmpty

    LI: LeaveIn LA: LeaveAll E: Empty

    Configuration example

    In the following example, a FortiGate device manages two FortiSwitch units.

    1. Configure the native VLAN on the managed FortiSwitch port. FortiSwitch1 has vlan1 and vlan11, and FortiSwitch2 has vlan11

      config switch interface

      edit port21

      set native-vlan vlan1

      next

      end

      config switch interface

      edit port22

      set native-vlan vlan11

      next

      end

      config switch interface

      edit port47

      set native-vlan vlan11

      next

      end

    2. Enable VLAN pruning on the FortiGate device.

      FGT_A (vdom1) (Interim)# config switch-controller global

      FGT_A (global) (Interim)# set vlan-optimization prune

      FGT_A (global) (Interim)# end

    3. Check VLAN pruning on the FortiSwitch1 auto-generated trunk interface. Only vlan11 and vlan4093 (the quarantine VLAN configured in the set allowed-vlans command on all FortiSwitch ports) are allowed, and vlan1 is not.

      config switch trunk

      edit "8EPTF18001384-0"

      set mode lacp-active

      set auto-isl 1

      set members "port22"

      next

      end

      S524DN4K16000116 # diagnose switch vlan-pruning dynamic-vlan list 8EPTF18001384-0

      8EPTF18001384-0 :

      vlans : 11 4093

    Previous
    Next

    Enhance network performance with VLAN pruning 7.6.1

    Enhance network performance with VLAN pruning 7.6.1

    Starting in FortiOS 7.6.1 with FortiSwitchOS 7.6.1, the FortiOS switch controller supports VLAN pruning. VLAN pruning prevents unnecessary traffic from unused VLANs by only allowing traffic from the VLANs required for the inter-switch link (ISL) trunks. This process makes networks more efficient and preserves bandwidth. In addition, VLAN pruning eliminates the time spent on manual VLAN pruning and reduces the chance of errors. By default, VLAN pruning is disabled.

    To enable VLAN pruning in FortiOS:

    config switch-controller global

    set vlan-optimization prune

    end

    To disable VLAN pruning in FortiOS:

    config switch-controller global

    set vlan-optimization {configured | none}

    end

    To display all VLANs learned using VLAN pruning on a FortiSwitch unit:

    diagnose switch vlan-pruning dynamic-vlan list [<interface_name>]

    For example:

    diagnose switch vlan-pruning dynamic-vlan list port10

    Note

    Although FortiOS leverages the Generic VLAN Registration Protocol (GVRP) message format to exchange internal control packets for the VLAN-pruning feature, the firmware is currently not fully compliant with the IEEE 802.1r-based standard GVRP specification.
    To display the received and transmitted counters with GVRP-formatted messages on a FortiSwitch unit:

    diagnose switch vlan-pruning protocol-packet stats [<interface_name>]

    For example:

    FS1E48T422005187 # diagnose switch vlan-pruning protocol-packet stats

    Receive(RX) and transmit(TX) counters for GVRP vlan states

    RX: JE JI LE LI LA E

    TX: JE JI LE LI LA E

    JE: JoinEmpty JI: JoinIn LE: LeaveEmpty

    LI: LeaveIn LA: LeaveAll E: Empty

    Configuration example

    In the following example, a FortiGate device manages two FortiSwitch units.

    1. Configure the native VLAN on the managed FortiSwitch port. FortiSwitch1 has vlan1 and vlan11, and FortiSwitch2 has vlan11

      config switch interface

      edit port21

      set native-vlan vlan1

      next

      end

      config switch interface

      edit port22

      set native-vlan vlan11

      next

      end

      config switch interface

      edit port47

      set native-vlan vlan11

      next

      end

    2. Enable VLAN pruning on the FortiGate device.

      FGT_A (vdom1) (Interim)# config switch-controller global

      FGT_A (global) (Interim)# set vlan-optimization prune

      FGT_A (global) (Interim)# end

    3. Check VLAN pruning on the FortiSwitch1 auto-generated trunk interface. Only vlan11 and vlan4093 (the quarantine VLAN configured in the set allowed-vlans command on all FortiSwitch ports) are allowed, and vlan1 is not.

      config switch trunk

      edit "8EPTF18001384-0"

      set mode lacp-active

      set auto-isl 1

      set members "port22"

      next

      end

      S524DN4K16000116 # diagnose switch vlan-pruning dynamic-vlan list 8EPTF18001384-0

      8EPTF18001384-0 :

      vlans : 11 4093

    Previous
    Next