Fortinet black logo

VLANs and VLAN tagging

Copy Link
Copy Doc ID bcbd4007-4027-11ed-9d74-fa163e15d75b:146333
Download PDF

VLANs and VLAN tagging

FortiSwitch ports process tagged and untagged Ethernet frames. Untagged frames do not carry any VLAN information.

Tagged frames include an additional header (the 802.1Q header) after the Source MAC address. This header includes a VLAN ID. This allows the VLAN value to be transmitted between switches.

The FortiSwitch unit provides port parameters to configure and manage VLAN tagging.

This chapter covers the following topics:

Native VLAN

You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming frames. Outgoing frames for the native VLAN are sent as untagged frames.

The native VLAN is assigned to any untagged frame arriving at an ingress port.

At an egress port, if the frame tag matches the native VLAN, the frame is sent out without the VLAN header.

Allowed VLAN list

The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive frames.

For a tagged frame arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native VLAN.

At an egress port, the frame tag must match the native VLAN or a VLAN on the allowed VLAN list.

Untagged VLAN list

The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit frames without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.

The untagged VLAN list applies only to egress traffic on a port.

Frame processing

Ingress processing ensures that the port accepts only frames with allowed VLAN values (untagged frames are assigned the native VLAN, which is implicitly allowed). At this point, all frames are now tagged with a valid VLAN.

The frame is sent to each egress port that can send the frame (because the frame tag value matches the native VLAN or an Allowed VLAN on the port).

Ingress port

For an untagged frame:

  • The frame is tagged with the native VLAN and allowed to proceed.
  • The Allowed VLAN list is ignored.

For a tagged frame:

  • The tag VLAN value must match an Allowed VLAN or the native VLAN.
  • The frame retains the VLAN tag and is allowed to proceed.

To control what types of frames are accepted by the port, use the following commands:

config switch interface

edit <interface>

set discard-mode <all-tagged | all-untagged | none>

end

Variable

Description

all-tagged

Tagged frames are discarded, and untagged frames can enter the switch.

all-untagged

Untagged frames are discarded, and tagged frames can enter the switch.

none

By default, all frames can enter the switch, and no frames are discarded.

Egress port

All frames that arrive at an egress port are tagged frames.

If the frame tag value is on the Allowed VLAN list, the frame is sent out with the existing tag.

If the frame tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the frame is sent out.

Otherwise, the frame is dropped.

Configuring VLANs

Use the following steps to add VLANs to a physical port interface.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Give the VLAN an appropriate name.
  4. In the Native VLAN field, enter the identifier for the native VLAN of the port.
  5. In the Allowed VLANs field, enter one or more identifiers for the allowed VLANs for the port. Separate multiple numbers with commas without any space. For example, 2,4,8-10.
  6. In the Untagged VLANs field, enter one or more identifiers for the untagged VLANs for the port. Separate multiple numbers with commas without any space. For example, 2,4,8-10.
  7. Select OK.
Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan>

set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

end

Example 1

The following example shows the flows for tagged and untagged frames.

Purple (dashed) flow

An untagged frame arriving at port3 is assigned VLAN 100 (the native VLAN) and flows to all egress ports that will send VLAN 100 (port1 and port4).

A tagged frame (VLAN 100) arriving at port4 is allowed (VLAN 100 is allowed). The frame is sent out from port1 and port3. On port3, VLAN 100 is the native VLAN, so the frame is sent without a VLAN tag.

Blue (dotted) flow

An untagged frame arriving at port4 is assigned VLAN 300 (the native VLAN). Then it flows out all ports that will send VLAN 300 (port3).

A tagged frame (VLAN 300) arriving at port3 is allowed. The frame is sent to egress from port4. VLAN 300 is the native VLAN on port4, so the frame is sent without a VLAN tag.

Example 2

The following is an example of an invalid tagged VLAN.

Green (dashed) flow

Between port1 and port2, frames are assigned to VLAN 1 at ingress, and then the tag is removed at egress.

Blue (dotted) flow

Incoming on port3, a tagged frame with VLAN value 100 is allowed because 100 is the port3 native VLAN (the hardware VLAN table accepts a tagged or untagged match to a valid VLAN).

The frame will be sent on port1 and port4 (with frame tag 100).

VLAN stacking (QinQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

NOTE: The following FortiSwitch models support VLAN stacking:

FS-124D, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424D, FS-424D-POE, FS-424D-FPOE, 424E, 424E-POE, 424E-FPOE, FS-424E-Fiber, 426E-MG-FPOE, FS-448D, FS-448D-POE, FS-448D-FPOE, 448E, 448E-POE, 448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1048D, FS-1048E, FS-3032D, and FS-3032E

NOTE: The following features are not supported with VLAN stacking:

  • DHCP relay
  • DHCP snooping
  • IGMP snooping
  • IP source guard
  • PVLAN
  • STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

To configure VLAN stacking (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config qnq

status {enable | *disable}

Enable or disable VLAN stacking (QinQ) mode.

disable

vlan-mapping-miss-drop {enable | *disable}

If the QinQ mode is enabled, enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration.

disable

add-inner <1-4095>

If the QinQ mode is enabled, add the inner tag for untagged frames upon ingress.

No default

edge-type customer

If the QinQ mode is enabled, the edge type is set to customer.

customer

priority {follow-c-tag | *follow-s-tag}

If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

remove-inner {enable | *disable}

If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

s-tag-priority <0-7>

If frames follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

To configure VLAN mapping on an interface (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

next

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

vlan-mapping-miss-drop {enable | *disable}

Enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration.

disable

config vlan-mapping

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the frame is matched:

- add—When the frame is matched, add the service VLAN. You cannot set the action to add for the egress direction.

- delete—When the frame is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.

- replace—When the frame is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

To configure the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100

To check the VLAN stacking (QinQ) configuration:

diagnose switch qnq dtag-cfg

VLANs and VLAN tagging

FortiSwitch ports process tagged and untagged Ethernet frames. Untagged frames do not carry any VLAN information.

Tagged frames include an additional header (the 802.1Q header) after the Source MAC address. This header includes a VLAN ID. This allows the VLAN value to be transmitted between switches.

The FortiSwitch unit provides port parameters to configure and manage VLAN tagging.

This chapter covers the following topics:

Native VLAN

You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming frames. Outgoing frames for the native VLAN are sent as untagged frames.

The native VLAN is assigned to any untagged frame arriving at an ingress port.

At an egress port, if the frame tag matches the native VLAN, the frame is sent out without the VLAN header.

Allowed VLAN list

The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive frames.

For a tagged frame arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native VLAN.

At an egress port, the frame tag must match the native VLAN or a VLAN on the allowed VLAN list.

Untagged VLAN list

The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit frames without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.

The untagged VLAN list applies only to egress traffic on a port.

Frame processing

Ingress processing ensures that the port accepts only frames with allowed VLAN values (untagged frames are assigned the native VLAN, which is implicitly allowed). At this point, all frames are now tagged with a valid VLAN.

The frame is sent to each egress port that can send the frame (because the frame tag value matches the native VLAN or an Allowed VLAN on the port).

Ingress port

For an untagged frame:

  • The frame is tagged with the native VLAN and allowed to proceed.
  • The Allowed VLAN list is ignored.

For a tagged frame:

  • The tag VLAN value must match an Allowed VLAN or the native VLAN.
  • The frame retains the VLAN tag and is allowed to proceed.

To control what types of frames are accepted by the port, use the following commands:

config switch interface

edit <interface>

set discard-mode <all-tagged | all-untagged | none>

end

Variable

Description

all-tagged

Tagged frames are discarded, and untagged frames can enter the switch.

all-untagged

Untagged frames are discarded, and tagged frames can enter the switch.

none

By default, all frames can enter the switch, and no frames are discarded.

Egress port

All frames that arrive at an egress port are tagged frames.

If the frame tag value is on the Allowed VLAN list, the frame is sent out with the existing tag.

If the frame tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the frame is sent out.

Otherwise, the frame is dropped.

Configuring VLANs

Use the following steps to add VLANs to a physical port interface.

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. On the Physical Port Interfaces page, select a port and then select Edit.
  3. Give the VLAN an appropriate name.
  4. In the Native VLAN field, enter the identifier for the native VLAN of the port.
  5. In the Allowed VLANs field, enter one or more identifiers for the allowed VLANs for the port. Separate multiple numbers with commas without any space. For example, 2,4,8-10.
  6. In the Untagged VLANs field, enter one or more identifiers for the untagged VLANs for the port. Separate multiple numbers with commas without any space. For example, 2,4,8-10.
  7. Select OK.
Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan>

set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

end

Example 1

The following example shows the flows for tagged and untagged frames.

Purple (dashed) flow

An untagged frame arriving at port3 is assigned VLAN 100 (the native VLAN) and flows to all egress ports that will send VLAN 100 (port1 and port4).

A tagged frame (VLAN 100) arriving at port4 is allowed (VLAN 100 is allowed). The frame is sent out from port1 and port3. On port3, VLAN 100 is the native VLAN, so the frame is sent without a VLAN tag.

Blue (dotted) flow

An untagged frame arriving at port4 is assigned VLAN 300 (the native VLAN). Then it flows out all ports that will send VLAN 300 (port3).

A tagged frame (VLAN 300) arriving at port3 is allowed. The frame is sent to egress from port4. VLAN 300 is the native VLAN on port4, so the frame is sent without a VLAN tag.

Example 2

The following is an example of an invalid tagged VLAN.

Green (dashed) flow

Between port1 and port2, frames are assigned to VLAN 1 at ingress, and then the tag is removed at egress.

Blue (dotted) flow

Incoming on port3, a tagged frame with VLAN value 100 is allowed because 100 is the port3 native VLAN (the hardware VLAN table accepts a tagged or untagged match to a valid VLAN).

The frame will be sent on port1 and port4 (with frame tag 100).

VLAN stacking (QinQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

NOTE: The following FortiSwitch models support VLAN stacking:

FS-124D, FS-224D-FPOE, FS-224E, FS-224E-POE, FS-248D, FS-248E-POE, FS-248E-FPOE, FS-424D, FS-424D-POE, FS-424D-FPOE, 424E, 424E-POE, 424E-FPOE, FS-424E-Fiber, 426E-MG-FPOE, FS-448D, FS-448D-POE, FS-448D-FPOE, 448E, 448E-POE, 448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, FS-548D-FPOE, FS-1024D, FS-1048D, FS-1048E, FS-3032D, and FS-3032E

NOTE: The following features are not supported with VLAN stacking:

  • DHCP relay
  • DHCP snooping
  • IGMP snooping
  • IP source guard
  • PVLAN
  • STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

To configure VLAN stacking (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

config qnq

status {enable | *disable}

Enable or disable VLAN stacking (QinQ) mode.

disable

vlan-mapping-miss-drop {enable | *disable}

If the QinQ mode is enabled, enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration.

disable

add-inner <1-4095>

If the QinQ mode is enabled, add the inner tag for untagged frames upon ingress.

No default

edge-type customer

If the QinQ mode is enabled, the edge type is set to customer.

customer

priority {follow-c-tag | *follow-s-tag}

If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag).

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

follow-s-tag

remove-inner {enable | *disable}

If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.

disable

s-tag-priority <0-7>

If frames follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag.

NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.

0

<id>

Enter a mapping entry identifier.

No default

description <string>

Enter a description of the mapping entry.

No default

match-c-vlan <1-4094>

Enter a matching customer (inner) VLAN.

0

new-s-vlan <1-4094>

Enter a new service (outer) VLAN.

NOTE: The VLAN must be in the portʼs allowed VLAN list.

This option is only available after you set the value for match-c-vlan.

No default

To configure VLAN mapping on an interface (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

next

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable

Description

Default

<interface_name>

Enter the name of the interface.

No default

vlan-tpid <default | string>

Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed.

This setting is only for service-provider VLANs (S-VLANs).

NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.

default

vlan-mapping-miss-drop {enable | *disable}

Enable or disable whether a frame is dropped if the VLAN ID in the frameʼs tag is not defined in the vlan-mapping configuration.

disable

config vlan-mapping

<id>

Enter an identifier for the VLAN mapping entry.

No default

description <string>

Enter a description of the VLAN mapping entry.

No default

direction {egress | ingress}

Select the ingress or egress direction.

No default

match-s-vlan <1-4094>

If the direction is set to egress, enter the service (outer) VLAN to match.

0

match-c-vlan <1-4094>

If the direction is set to ingress, enter the customer (inner) VLAN to match.

0

action {add | delete | replace}

Select what happens when the frame is matched:

- add—When the frame is matched, add the service VLAN. You cannot set the action to add for the egress direction.

- delete—When the frame is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction.

- replace—When the frame is matched, replace the customer VLAN or service VLAN.

This option is only available after you set a value for match-c-vlan or match-s-vlan.

No default

new-s-vlan <1-4094>

Set the new service (outer) VLAN.

This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.

No default

To configure the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable

Description

Default

<VLAN_TPID_profile_name>

Enter a name for the VLAN TPID profile name.

No default

ether-type <0x0001-0xfffe>

Enter a hexadecimal value for the EtherType field.

0x8100

To check the VLAN stacking (QinQ) configuration:

diagnose switch qnq dtag-cfg