Fortinet black logo

Administration Guide

MAC/IP/protocol-based VLANs

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:898417
Download PDF

MAC/IP/protocol-based VLANs

The FortiSwitch unit assigns VLANs to packets based on the incoming port or the VLAN tag in the packet. The MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet (MAC address, IP address, or layer-2 protocol).

Overview

When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that VLAN value to include the VLAN tag. Use the set untagged-vlans <vlan> configuration command to remove the VLAN tag from egress packets. For an example of the command, see the Example configuration.

The MAC/IP/protocol-based VLAN feature assigns the VLAN based on MAC address, IP address, or layer-2 protocol.

MAC based

In MAC-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating MAC address.

IP based

In IP-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating IP address or IP subnet. IPv4 is supported with prefix masks from 1 to 32. IPv6 is also supported, depending on hardware availability, with prefix lengths from 1 to 64.

Protocol based

In protocol-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the Ethernet protocol value and the frame type (ethernet2, 802.3d/SNAP, LLC).

Configuring MAC/IP/protocol-based VLANs

Note the following prerequisites:
  • The VLAN must be created in the FortiSwitch unit
  • The VLAN needs to be allowed on the ingress port
Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN for a new VLAN or select Edit for an existing VLAN.
  3. To configure a MAC-based VLAN:
    1. Select Add under Members by MAC Address.
    2. Enter a description and the MAC address.
  4. To configure an IP-based VLAN:
    1. Select Add under Members by IP Address.
    2. Enter a description and the IP address.
  5. Select Add or Update to save the settings.
Using the CLI:

config switch vlan

edit <vlan-id>

config member-by-mac

edit <id>

set mac xx:xx:xx:xx:xx:xx

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e #subnet mask must 1-32

set description <128 byte string>

next

end

config member-by-ipv6

edit <id>

set prefix xx:xx:xx:xx::/prefix #prefix must 1-64

set description <128 byte string>

next

end

config member-by-proto

edit <id>

set frametypes ethernet2 802.3d llc #default is all

set protocol 0xXXXX

next

end

next

end

NOTE: There are hardware limits regarding how many MAC/IP/protocol-based VLANs that you can configure. If you try to add entries beyond the limit, the CLI will reject the configuration:

  • Editing an existing VLAN—when you enter next or end on the config member-by command
  • Adding a new VLAN— when you enter next or end on the edit vlan command
  • When VLANS are defined by config member-by-ipv4 or config member-by-ipv6 on some FortiSwitch platforms (2xx and higher), matching ARP traffic is included in the assigned VLANs. For example, if the ARP target IP address or the ARP sender IP address match the member-by-ipv4 or member-by-ipv6 IP address, those ARP packets are included in the assigned VLANs.

Example configuration

The following example shows a CLI configuration for MAC-based VLAN where a VOIP phone and a PC share the same switch port.

In this example, a unique VLAN is assigned to the voice traffic, and the PC traffic is on the default VLAN for the port.

  1. The FortiSwitch Port 10 is connected to PC2 (a VOIP phone), with MAC address 00:21:cc:d2:76:72.
  2. The phone also sends traffic from PC3 (MAC= 00:21:cc:d2:76:80).
  3. Assign the PC3 traffic to the default VLAN (1) on port 10.
  4. Assign the voice traffic to VLAN 100.

Configure the voice VLAN

config switch vlan

edit 100

config member-by-mac

edit 1

set description "pc2"

set mac 00:21:cc:d2:76:72

next

end

end

end

Configure switch port 10

config switch interface

edit "port10"

# allow vlan=100 on this port

# treat this as untagged on egress

set allowed-vlans 100

set untagged-vlans 100

set snmp-index 10

end

end

Checking the configuration

To view the MAC-based VLAN assignments, use the following command:

diagnose switch vlan assignment mac list sorted-by-mac

	00:21:cc:d2:76:72   VLAN: 100 Installed: yes
	Source: Configuration (entry 1)
	Description: pc2	 

MAC/IP/protocol-based VLANs

The FortiSwitch unit assigns VLANs to packets based on the incoming port or the VLAN tag in the packet. The MAC/IP/protocol-based VLAN feature enables the assignment of VLANs based on specific fields in an ingress packet (MAC address, IP address, or layer-2 protocol).

Overview

When a MAC/IP/protocol-based VLAN is assigned to a port, the default behavior is for egress packets with that VLAN value to include the VLAN tag. Use the set untagged-vlans <vlan> configuration command to remove the VLAN tag from egress packets. For an example of the command, see the Example configuration.

The MAC/IP/protocol-based VLAN feature assigns the VLAN based on MAC address, IP address, or layer-2 protocol.

MAC based

In MAC-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating MAC address.

IP based

In IP-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the originating IP address or IP subnet. IPv4 is supported with prefix masks from 1 to 32. IPv6 is also supported, depending on hardware availability, with prefix lengths from 1 to 64.

Protocol based

In protocol-based VLAN assignment, the FortiSwitch unit associates a VLAN with each packet based on the Ethernet protocol value and the frame type (ethernet2, 802.3d/SNAP, LLC).

Configuring MAC/IP/protocol-based VLANs

Note the following prerequisites:
  • The VLAN must be created in the FortiSwitch unit
  • The VLAN needs to be allowed on the ingress port
Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN for a new VLAN or select Edit for an existing VLAN.
  3. To configure a MAC-based VLAN:
    1. Select Add under Members by MAC Address.
    2. Enter a description and the MAC address.
  4. To configure an IP-based VLAN:
    1. Select Add under Members by IP Address.
    2. Enter a description and the IP address.
  5. Select Add or Update to save the settings.
Using the CLI:

config switch vlan

edit <vlan-id>

config member-by-mac

edit <id>

set mac xx:xx:xx:xx:xx:xx

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e #subnet mask must 1-32

set description <128 byte string>

next

end

config member-by-ipv6

edit <id>

set prefix xx:xx:xx:xx::/prefix #prefix must 1-64

set description <128 byte string>

next

end

config member-by-proto

edit <id>

set frametypes ethernet2 802.3d llc #default is all

set protocol 0xXXXX

next

end

next

end

NOTE: There are hardware limits regarding how many MAC/IP/protocol-based VLANs that you can configure. If you try to add entries beyond the limit, the CLI will reject the configuration:

  • Editing an existing VLAN—when you enter next or end on the config member-by command
  • Adding a new VLAN— when you enter next or end on the edit vlan command
  • When VLANS are defined by config member-by-ipv4 or config member-by-ipv6 on some FortiSwitch platforms (2xx and higher), matching ARP traffic is included in the assigned VLANs. For example, if the ARP target IP address or the ARP sender IP address match the member-by-ipv4 or member-by-ipv6 IP address, those ARP packets are included in the assigned VLANs.

Example configuration

The following example shows a CLI configuration for MAC-based VLAN where a VOIP phone and a PC share the same switch port.

In this example, a unique VLAN is assigned to the voice traffic, and the PC traffic is on the default VLAN for the port.

  1. The FortiSwitch Port 10 is connected to PC2 (a VOIP phone), with MAC address 00:21:cc:d2:76:72.
  2. The phone also sends traffic from PC3 (MAC= 00:21:cc:d2:76:80).
  3. Assign the PC3 traffic to the default VLAN (1) on port 10.
  4. Assign the voice traffic to VLAN 100.

Configure the voice VLAN

config switch vlan

edit 100

config member-by-mac

edit 1

set description "pc2"

set mac 00:21:cc:d2:76:72

next

end

end

end

Configure switch port 10

config switch interface

edit "port10"

# allow vlan=100 on this port

# treat this as untagged on egress

set allowed-vlans 100

set untagged-vlans 100

set snmp-index 10

end

end

Checking the configuration

To view the MAC-based VLAN assignments, use the following command:

diagnose switch vlan assignment mac list sorted-by-mac

	00:21:cc:d2:76:72   VLAN: 100 Installed: yes
	Source: Configuration (entry 1)
	Description: pc2