Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.0.2 Administration Guide
    7.0.2
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Packet processing

    Packet processing

    Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.

    The packet is sent to each egress port that can send the packet (because the packet tag value matches the native VLAN or an Allowed VLAN on the port).

    Ingress port

    Untagged packet

    • packet is tagged with the native VLAN and allowed to proceed
    • the Allowed VLAN list is ignored

    Tagged packet

    • tag VLAN value must match an Allowed VLAN or the native VLAN
    • packet retains the VLAN tag and is allowed to proceed

    To control what types of frames are accepted by the port, use the following commands:

    config switch interface

    edit <interface>

    set discard-mode <all-tagged | all-untagged | none>

    end

    Variable

    Description

    all-tagged

    Tagged frames are discarded, and untagged frames can enter the switch.

    all-untagged

    Untagged frames are discarded, and tagged frames can enter the switch.

    none

    By default, all frames can enter the switch, and no frames are discarded.

    Egress port

    All packets that arrive at an egress port are tagged packets.

    If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.

    If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent out.

    Otherwise, the packet is dropped.

    Previous
    Next

    Packet processing

    Packet processing

    Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.

    The packet is sent to each egress port that can send the packet (because the packet tag value matches the native VLAN or an Allowed VLAN on the port).

    Ingress port

    Untagged packet

    • packet is tagged with the native VLAN and allowed to proceed
    • the Allowed VLAN list is ignored

    Tagged packet

    • tag VLAN value must match an Allowed VLAN or the native VLAN
    • packet retains the VLAN tag and is allowed to proceed

    To control what types of frames are accepted by the port, use the following commands:

    config switch interface

    edit <interface>

    set discard-mode <all-tagged | all-untagged | none>

    end

    Variable

    Description

    all-tagged

    Tagged frames are discarded, and untagged frames can enter the switch.

    all-untagged

    Untagged frames are discarded, and tagged frames can enter the switch.

    none

    By default, all frames can enter the switch, and no frames are discarded.

    Egress port

    All packets that arrive at an egress port are tagged packets.

    If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.

    If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent out.

    Otherwise, the packet is dropped.

    Previous
    Next