VLANs and VLAN tagging

FortiSwitch ports process tagged and untagged Ethernet frames. Untagged frames do not carry any VLAN information.

Tagged frames include an additional header (the 802.1Q header) after the Source MAC address. This header includes a VLAN ID. This allows the VLAN value to be transmitted between switches.

The FortiSwitch unit provides port parameters to configure and manage VLAN tagging.

This chapter covers the following topics:

• Native VLAN
• Allowed VLAN list
• Untagged VLAN list
• Packet processing
• Configuring VLANs
• Example 1
• Example 2
• VLAN stacking (QinQ)

Native VLAN

You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming packets. Outgoing packets for the native VLAN are sent as untagged frames.

The native VLAN is assigned to any untagged packet arriving at an ingress port.

At an egress port, if the packet tag matches the native VLAN, the packet is sent out without the VLAN header.

Allowed VLAN list

The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive packets.

For a tagged packet arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native VLAN.

At an egress port, the packet tag must match the native VLAN or a VLAN on the allowed VLAN list.

Untagged VLAN list

The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit packets without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.

The untagged VLAN list applies only to egress traffic on a port.

Packet processing

Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.

The packet is sent to each egress port that can send the packet (because the packet tag value matches the native VLAN or an Allowed VLAN on the port).

Ingress port

Untagged packet

• packet is tagged with the native VLAN and allowed to proceed
• the Allowed VLAN list is ignored

Tagged packet

• tag VLAN value must match an Allowed VLAN or the native VLAN
• packet retains the VLAN tag and is allowed to proceed

To control what types of frames are accepted by the port, use the following commands:

config switch interface

edit <interface>

set discard-mode <all-tagged | all-untagged | none>

end

Variable	Description
all-tagged	Tagged frames are discarded, and untagged frames can enter the switch.
all-untagged	Untagged frames are discarded, and tagged frames can enter the switch.
none	By default, all frames can enter the switch, and no frames are discarded.

Egress port

All packets that arrive at an egress port are tagged packets.

If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.

If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent out.

Otherwise, the packet is dropped.

Configuring VLANs

Use the following steps to add VLANs to a physical port interface.

Using the GUI:

1. Go to Switch > Interface > Physical.
2. On the Physical Port Interfaces page, select a port and then select Edit.
3. Give the VLAN an appropriate name.
4. In the Native VLAN field, enter the identifier for the native VLAN of the port.
5. In the Allowed VLANs field, enter one or more identifiers for the allowed VLANs for the port. Separate multiple numbers with commas without any space. For example, 2,4,8-10.
6. In the Untagged VLANs field, enter one or more identifiers for the untagged VLANs for the port. Separate multiple numbers with commas without any space. For example, 2,4,8-10.
7. Select OK.

Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan>

set allowed-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

set untagged-vlans <vlan> [<vlan>] [<vlan> - <vlan>]

end

Example 1

Example flows for tagged and untagged packets.

Purple flow

An untagged packet arriving at Port3 is assigned VLAN 100 (the native VLAN) and flows to all egress ports that will send VLAN 100 (Port1 and Port4).

A tagged packet (VLAN 100) arriving at Port4 is allowed (VLAN 100 is allowed). The packet is sent out from Port1 and Port3. On Port3, VLAN 100 is the native VLAN, so the packet is sent without a VLAN tag.

Blue flow

An untagged packet arriving at Port 4 is assigned VLAN 300 (the native VLAN). Then it flows out all ports that will send Vlan300 (Port 3).

A tagged packet (VLAN 300) arriving at Port3 is allowed. The packet is sent to egress from Port4. VLAN 300 is the native VLAN on Port4, so the packet is sent without a VLAN tag.

Example 2

Example of invalid tagged VLAN.

Green flow

Between Port1 and Port2, packets are assigned to VLAN 1 at ingress, and then the tag is removed at egress.

Blue flow

Incoming on Port 3, a tagged packet with VLAN value 100 is allowed, because 100 is the Port 3 native VLAN (the hardware VLAN table accepts a tagged or untagged match to a valid VLAN).

The packet will be sent on port1 and port4 (with packet tag 100).

VLAN stacking (QinQ)

VLAN stacking allows you to have multiple VLAN headers in an Ethernet frame. The value of the EtherType field specifies where the VLAN header is placed in the Ethernet frame.

Use the VLAN TPID profile to specify the value of the EtherType field. The FortiSwitch unit supports a maximum of four VLAN TPID profiles, including the default (0x8100). The default VLAN TPID profile (0x8100) cannot be deleted or changed.

NOTE: The following FortiSwitch models support VLAN stacking:

124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, 3032E

NOTE: The following features are not supported with VLAN stacking:

• DHCP relay
• DHCP snooping
• IGMP snooping
• IP source guard
• PVLAN
• STP

NOTE: Settings under config qnq are for customer VLANs (C-VLANs). Other settings such as set allowed-vlans, set native-vlan, and set vlan-tpid are for service-provider VLANs (S-VLANs).

To configure VLAN stacking (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

config qnq

set status {enable | *disable}

set vlan-mapping-miss-drop {enable | *disable}

set add-inner <1-4095>

set edge-type customer

set priority {follow-c-tag | *follow-s-tag}

set remove-inner {enable | *disable}

set s-tag-priority <0-7>

config vlan-mapping

edit <id>

set description <string>

set match-c-vlan <1-4094>

set new-s-vlan <1-4094>

next

end

end

next

end

Variable	Description	Default
<interface_name>	Enter the name of the interface.	No default
vlan-tpid <default | string>	Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed. This setting is only for service-provider VLANs (S-VLANs). NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.	default
config qnq
status {enable | *disable}	Enable or disable VLAN stacking (QinQ) mode.	disable
vlan-mapping-miss-drop {enable | *disable}	If the QinQ mode is enabled, enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.	disable
add-inner <1-4095>	If the QinQ mode is enabled, add the inner tag for untagged packets upon ingress.	No default
edge-type customer	If the QinQ mode is enabled, the edge type is set to customer.	customer
priority {follow-c-tag | *follow-s-tag}	If the QinQ mode is enabled, select whether to follow the priority of the S-tag (service tag) or C-tag (customer tag). NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.	follow-s-tag
remove-inner {enable | *disable}	If the QinQ mode is enabled, enable or disable whether the inner tag is removed upon egress.	disable
s-tag-priority <0-7>	If packets follow the priority of the S-tag (service tag), enter the priority value. This option is available only when the priority is set to follow-s-tag. NOTE: This command is not available on the 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE and 248E-FPOE models.	0
<id>	Enter a mapping entry identifier.	No default
description <string>	Enter a description of the mapping entry.	No default
match-c-vlan <1-4094>	Enter a matching customer (inner) VLAN.	0
new-s-vlan <1-4094>	Enter a new service (outer) VLAN. NOTE: The VLAN must be in the portʼs allowed VLAN list. This option is only available after you set the value for match-c-vlan.	No default

To configure VLAN mapping on an interface (asterisks indicate the default setting):

config switch interface

edit <interface_name>

set vlan-tpid <default | string>

set vlan-mapping-miss-drop {enable | *disable}

config vlan-mapping

edit <id>

set description <string>

set direction ingress // ingress example

set match-c-vlan <1-4094>

set action {add | replace}

set new-s-vlan <1-4094>

next

edit <id>

set description <string>

set direction egress // egress example

set match-s-vlan <1-4094>

set action {delete | replace}

set new-s-vlan <1-4094>

next

end

next

end

Variable	Description	Default
<interface_name>	Enter the name of the interface.	No default
vlan-tpid <default | string>	Select which VLAN TPID profile to use. The default VLAN TPID profile has a value of 0x8100 and cannot be deleted or changed. This setting is only for service-provider VLANs (S-VLANs). NOTE: If you are not using the default VLAN TPID profile, you must have already defined the VLAN TPID profile with the config switch vlan-tpid command.	default
vlan-mapping-miss-drop {enable | *disable}	Enable or disable whether a packet is dropped if the VLAN ID in the packetʼs tag is not defined in the vlan-mapping configuration.	disable
config vlan-mapping
<id>	Enter an identifier for the VLAN mapping entry.	No default
description <string>	Enter a description of the VLAN mapping entry.	No default
direction {egress | ingress}	Select the ingress or egress direction.	No default
match-s-vlan <1-4094>	If the direction is set to egress, enter the service (outer) VLAN to match.	0
match-c-vlan <1-4094>	If the direction is set to ingress, enter the customer (inner) VLAN to match.	0
action {add | delete | replace}	Select what happens when the packet is matched: - add—When the packet is matched, add the service VLAN. You cannot set the action to add for the egress direction. - delete—When the packet is matched, delete the service VLAN. You cannot set the action to delete for the ingress direction. - replace—When the packet is matched, replace the customer VLAN or service VLAN. This option is only available after you set a value for match-c-vlan or match-s-vlan.	No default
new-s-vlan <1-4094>	Set the new service (outer) VLAN. This option is only available after you set the action to add or replace for the ingress direction or after you set the action to replace for the egress direction.	No default

To configure the VLAN TPID profile:

config switch vlan-tpid

edit <VLAN_TPID_profile_name>

set ether-type <0x0001-0xfffe>

next

end

Variable	Description	Default
<VLAN_TPID_profile_name>	Enter a name for the VLAN TPID profile name.	No default
ether-type <0x0001-0xfffe>	Enter a hexadecimal value for the EtherType field.	0x8100

To check the VLAN stacking (QinQ) configuration:

diagnose switch qnq dtag-cfg