Configuring VLANs
Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)
From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.
In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.
You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.
This section covers the following topics:
- Creating VLANs
- Viewing FortiSwitch VLANs
- Changing the VLAN configuration mode
- Configuring multiple managed FortiSwitch VLANs to be used in a software switch
Creating VLANs
Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI.
Using the GUI
To create the VLAN:
- Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:
Interface Name VLAN name VLAN ID Enter a number (1-4094) Color Choose a unique color for each VLAN, for ease of visual display. Role Select LAN, WAN, DMZ, or Undefined.
NOTE: If you are using the FortiGate unitʼs security rating feature, you need to assign a role of LAN, WAN, or DMZ to your FortiLink VLAN interfaces before referencing them in any firewall policies. If this is not done, the security rating score is lowered until the issue is remedied, due to failing the “Interface Classification” requirement.
- Enable DHCP for IPv4 or IPv6.
- Set the Administrative access options as required.
- Select OK.
To assign FortiSwitch ports to the VLAN:
- Go to WiFi & Switch Controller > FortiSwitch Ports.
- Click a port row.
- Click the Native VLAN column in one of the selected entries to change the native VLAN.
- Select a VLAN from the displayed list. The new value is assigned to the selected ports.
- Click the + icon in the Allowed VLANs column to change the allowed VLANs.
- Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.
Using the FortiSwitch CLI
- Create the marketing VLAN.
config system interface
edit <vlan name>
set vlanid <1-4094>
set color <1-32>
set interface <FortiLink-enabled interface>
end
- Set the VLAN’s IP address.
config system interface
edit <vlan name>
set ip <IP address> <Network mask>
end
- Enable a DHCP server.
config system dhcp server
edit 1
set default-gateway <IP address>
set dns-service default
set interface <vlan name>
config ip-range
set start-ip <IP address>
set end-ip <IP address>
end
set netmask <Network mask>
end
- Assign ports to the VLAN.
config switch-controller managed-switch
edit <Switch ID>
config ports
edit <port name>
set vlan <vlan name>
set allowed-vlans <vlan name>
or
set allowed-vlans-all enable
next
end
end
- Assign untagged VLANs to a managed FortiSwitch port:
config switch-controller managed-switch
edit <managed-switch>
config ports
edit <port>
set untagged-vlans <VLAN-name>
next
end
next
end
Viewing FortiSwitch VLANs
The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.
Each entry in the VLAN list displays the following information:
- Name—name of the VLAN
- VLAN ID—the VLAN number
- IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
- Access—administrative access settings for the VLAN
- Ref—number of configuration objects referencing this VLAN
Changing the VLAN configuration mode
You can change which VLANs the set allowed-vlans
command affects.
If you want the set allowed-vlans
command to apply to all user-defined VLANs, use the following CLI commands:
config switch-controller global
set vlan-all-mode defined
end
If you want the set allowed-vlans
command to apply to all possible VLANs (1-4094), use the following CLI commands:
config switch-controller global
set vlan-all-mode all
end
NOTE: You cannot use the set vlan-all-mode all
command with the set vlan-optimization enable
command.
Configuring multiple managed FortiSwitch VLANs to be used in a software switch
Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch.
Traffic between two VLANs is controlled by the intra-switch-policy
setting under the config system switch-interface
command. By default, intra-switch-policy
is set to implicit
, which allows traffic between software switch members.
The FortiSwitch VLANs must be configured without IP addresses. |
Using the GUI
-
Go to Network > Interfaces.
-
Create or edit a software switch interface
-
In Interface members, select multiple FortiSwitch VLANs.
-
Click OK.
Using the CLI
In the following example, you create two managed FortiSwitch VLANs and then add them to a software switch.
config system interface
edit "vlan1"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 46
set interface "fortilink"
set vlanid 3501
next
edit "vlan2"
set vdom "root"
set device-identification enable
set role lan
set snmp-index 47
set interface "fortilink"
set vlanid 3502
next
end
config system switch-interface
edit "softwareswitch"
set vdom "root"
set member "vlan1" "vlan2"
next
end