Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 6.4.5 Administration Guide
    6.4.5
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    MAC/IP/protocol-based VLANs

    MAC/IP/protocol-based VLANs

    The FortiSwitch unit assigns VLANs to packets based on the incoming port or the VLAN tag in the packet. The MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet (MAC address, IP address, or layer-2 protocol).

    This chapter covers the following topics:

    Overview

    When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that VLAN value to include the VLAN tag. Use the set untagged-vlans <vlan> configuration command to remove the VLAN tag from egress packets. For an example of the command, see the Example configuration.

    The MAC/IP/protocol-based VLAN feature assigns the VLAN based on MAC address, IP address, or layer-2 protocol.

    MAC based

    In MAC-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating MAC address.

    IP based

    In IP-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating IP address or IP subnet. IPv4 is supported with prefix masks from 1 to 32. IPv6 is also supported, depending on hardware availability, with prefix lengths from 1 to 64.

    Protocol based

    In protocol-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the Ethernet protocol value and the frame type (ethernet2, 802.3d/SNAP, LLC).

    Configuring MAC/IP/protocol-based VLANs

    Note the following prerequisites:
    • The VLAN must be created in the FortiSwitch unit
    • The VLAN needs to be allowed on the ingress port
    Using the GUI:
    1. Go to Switch > VLAN.
    2. Select Add VLAN for a new VLAN or select Edit for an existing VLAN.
    3. To configure a MAC-based VLAN:
      1. Select Add under Members by MAC Address.
      2. Enter a description and the MAC address.
    4. To configure an IP-based VLAN:
      1. Select Add under Members by IP Address.
      2. Enter a description and the IP address.
    5. Select Add or Update to save the settings.
    Using the CLI:

    config switch vlan

    edit <vlan-id>

    config member-by-mac

    edit <id>

    set mac xx:xx:xx:xx:xx:xx

    set description <128 byte string>

    next

    end

    config member-by-ipv4

    edit <id>

    set address a.b.c.d/e #subnet mask must 1-32

    set description <128 byte string>

    next

    end

    config member-by-ipv6

    edit <id>

    set prefix xx:xx:xx:xx::/prefix #prefix must 1-64

    set description <128 byte string>

    next

    end

    config member-by-proto

    edit <id>

    set frametypes ethernet2 802.3d llc #default is all

    set protocol 0xXXXX

    next

    end

    next

    end

    NOTE: There are hardware limits regarding how many MAC/IP/protocol-based VLANs that you can configure. If you try to add entries beyond the limit, the CLI will reject the configuration:

    • Editing an existing VLAN—when you enter next or end on the config member-by command
    • Adding a new VLAN— when you enter next or end on the edit vlan command
    • When VLANS are defined by config member-by-ipv4 or config member-by-ipv6 on some FortiSwitch platforms (2xx and higher), matching ARP traffic is included in the assigned VLANs. For example, if the ARP target IP address or the ARP sender IP address match the member-by-ipv4 or member-by-ipv6 IP address, those ARP packets are included in the assigned VLANs.

    Example configuration

    The following example shows a CLI configuration for MAC-based VLAN where a VOIP phone and a PC share the same switch port.

    In this example, a unique VLAN is assigned to the voice traffic, and the PC traffic is on the default VLAN for the port.

    1. The FortiSwitch Port 10 is connected to PC2 (a VOIP phone), with MAC address 00:21:cc:d2:76:72.
    2. The phone also sends traffic from PC3 (MAC= 00:21:cc:d2:76:80).
    3. Assign the PC3 traffic to the default VLAN (1) on port 10.
    4. Assign the voice traffic to VLAN 100.

    Configure the voice VLAN

    config switch vlan

    edit 100

    config member-by-mac

    edit 1

    set description "pc2"

    set mac 00:21:cc:d2:76:72

    next

    end

    end

    end

    Configure switch port 10

    config switch interface

    edit "port10"

    # allow vlan=100 on this port

    # treat this as untagged on egress

    set allowed-vlans 100

    set untagged-vlans 100

    set snmp-index 10

    end

    end

    Checking the configuration

    To view the MAC-based VLAN assignments, use the following command:

    diagnose switch vlan assignment mac list sorted-by-mac

    	00:21:cc:d2:76:72   VLAN: 100 Installed: yes
	Source: Configuration (entry 1)
	Description: pc2
    Previous
    Next

    MAC/IP/protocol-based VLANs

    MAC/IP/protocol-based VLANs

    The FortiSwitch unit assigns VLANs to packets based on the incoming port or the VLAN tag in the packet. The MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet (MAC address, IP address, or layer-2 protocol).

    This chapter covers the following topics:

    Overview

    When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that VLAN value to include the VLAN tag. Use the set untagged-vlans <vlan> configuration command to remove the VLAN tag from egress packets. For an example of the command, see the Example configuration.

    The MAC/IP/protocol-based VLAN feature assigns the VLAN based on MAC address, IP address, or layer-2 protocol.

    MAC based

    In MAC-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating MAC address.

    IP based

    In IP-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating IP address or IP subnet. IPv4 is supported with prefix masks from 1 to 32. IPv6 is also supported, depending on hardware availability, with prefix lengths from 1 to 64.

    Protocol based

    In protocol-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the Ethernet protocol value and the frame type (ethernet2, 802.3d/SNAP, LLC).

    Configuring MAC/IP/protocol-based VLANs

    Note the following prerequisites:
    • The VLAN must be created in the FortiSwitch unit
    • The VLAN needs to be allowed on the ingress port
    Using the GUI:
    1. Go to Switch > VLAN.
    2. Select Add VLAN for a new VLAN or select Edit for an existing VLAN.
    3. To configure a MAC-based VLAN:
      1. Select Add under Members by MAC Address.
      2. Enter a description and the MAC address.
    4. To configure an IP-based VLAN:
      1. Select Add under Members by IP Address.
      2. Enter a description and the IP address.
    5. Select Add or Update to save the settings.
    Using the CLI:

    config switch vlan

    edit <vlan-id>

    config member-by-mac

    edit <id>

    set mac xx:xx:xx:xx:xx:xx

    set description <128 byte string>

    next

    end

    config member-by-ipv4

    edit <id>

    set address a.b.c.d/e #subnet mask must 1-32

    set description <128 byte string>

    next

    end

    config member-by-ipv6

    edit <id>

    set prefix xx:xx:xx:xx::/prefix #prefix must 1-64

    set description <128 byte string>

    next

    end

    config member-by-proto

    edit <id>

    set frametypes ethernet2 802.3d llc #default is all

    set protocol 0xXXXX

    next

    end

    next

    end

    NOTE: There are hardware limits regarding how many MAC/IP/protocol-based VLANs that you can configure. If you try to add entries beyond the limit, the CLI will reject the configuration:

    • Editing an existing VLAN—when you enter next or end on the config member-by command
    • Adding a new VLAN— when you enter next or end on the edit vlan command
    • When VLANS are defined by config member-by-ipv4 or config member-by-ipv6 on some FortiSwitch platforms (2xx and higher), matching ARP traffic is included in the assigned VLANs. For example, if the ARP target IP address or the ARP sender IP address match the member-by-ipv4 or member-by-ipv6 IP address, those ARP packets are included in the assigned VLANs.

    Example configuration

    The following example shows a CLI configuration for MAC-based VLAN where a VOIP phone and a PC share the same switch port.

    In this example, a unique VLAN is assigned to the voice traffic, and the PC traffic is on the default VLAN for the port.

    1. The FortiSwitch Port 10 is connected to PC2 (a VOIP phone), with MAC address 00:21:cc:d2:76:72.
    2. The phone also sends traffic from PC3 (MAC= 00:21:cc:d2:76:80).
    3. Assign the PC3 traffic to the default VLAN (1) on port 10.
    4. Assign the voice traffic to VLAN 100.

    Configure the voice VLAN

    config switch vlan

    edit 100

    config member-by-mac

    edit 1

    set description "pc2"

    set mac 00:21:cc:d2:76:72

    next

    end

    end

    end

    Configure switch port 10

    config switch interface

    edit "port10"

    # allow vlan=100 on this port

    # treat this as untagged on egress

    set allowed-vlans 100

    set untagged-vlans 100

    set snmp-index 10

    end

    end

    Checking the configuration

    To view the MAC-based VLAN assignments, use the following command:

    diagnose switch vlan assignment mac list sorted-by-mac

    	00:21:cc:d2:76:72   VLAN: 100 Installed: yes
	Source: Configuration (entry 1)
	Description: pc2
    Previous
    Next