[FortiGate] How to configure tagged/untagged vlan ports

Firewall (UTM)

Work environment

  • FortiGate 60E
    • version 7.0.1

Untagged vlan ports

The configuration of untagged vlan ports is very simple. By setting an IP address for a physical interface (for example, internal1, internal2, …), that physical interface acts as an untagged port.

That is, the vlan of a physical interface corresponds to the native vlan of the opposite switch port on that physical interface.

Note that FortiGate does not allow switching between interfaces in principle. If you want to switch, you need to create a hardware switch to group multiple interfaces.

Tagged vlan ports

To configure the tagged ports, you need to create a vlan interface. A vlan interface is created by associating it with one physical interface. You can create multiple vlan interfaces for one physical interface. One vlan interface corresponds to one vlan id (vlan tag).

You cannot create a vlan interface with the same VLAN ID for multiple interfaces.

Create a vlan interface

Click Network > Interfaces > Create New > Interface.

Set each item on the interface setting screen.

Specify the VLAN in the Type field. In the Interface field, specify the physical interface with which you want to associate the vlan interface. Enter the tag ID in the VLAN ID field.

In the Address field, set the IP address of the vlan interface. The Create address object matching subnet is enabled by default, but I recommend disabling it.

In the Administrative Access field, specify the services to be accepted by the vlan interface. All are disabled by default.

Change the settings of other items as necessary.

After completing the settings, click OK at the bottom.

Confirm that the vlan interface has been created.

CLI config for vlan interface

When configuring the vlan interface with the CLI, configure it with the config system interface.

The config after setting according to the setting example in the above GUI is as follows.

config system interface
    edit "Vlan10"
        set vdom "root"
        set ip
        set allowaccess ping https ssh http
        set type vlan
        set device-identification enable
        set role lan
        set snmp-index 15
        set interface "internal1"
        set vlanid 10


Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.