Configuring VLANs

Use Virtual Local Area Networks (VLANs) to logically separate a LAN into smaller broadcast domains. VLANs allow you to define different policies for different types of users and to set finer control on the LAN traffic. (Traffic is only sent automatically within the VLAN. You must configure routing for traffic between VLANs.)

From the FortiGate unit, you can centrally configure and manage VLANs for the managed FortiSwitch units.

In FortiSwitchOS 3.3.0 and later releases, the FortiSwitch supports untagged and tagged frames in FortiLink mode. The switch supports up to 1,023 user-defined VLANs. You can assign a VLAN number (ranging from 1-4095) to each of the VLANs. For FortiSwitch units in FortiLink mode (FortiOS 6.2.0 and later), you can assign a name to each VLAN.

You can configure the default VLAN for each FortiSwitch port as well as a set of allowed VLANs for each FortiSwitch port.

This section covers the following topics:

• Creating VLANs
• Viewing FortiSwitch VLANs
• Changing the VLAN configuration mode
• Configuring multiple managed FortiSwitch VLANs to be used in a software switch
• Configuring inter-VLAN routing offload

Creating VLANs

Setting up a VLAN requires you to create the VLAN and assign FortiSwitch ports to the VLAN. You can do this with either the Web GUI or CLI. You can specify native, allowed, and untagged VLANs.

Native VLAN

You can configure a native VLAN for each port. The native VLAN is like a default VLAN for untagged incoming frames. Outgoing frames for the native VLAN are sent as untagged frames.

The native VLAN is assigned to any untagged frame arriving at an ingress port.

At an egress port, if the frame tag matches the native VLAN, the frame is sent out without the VLAN header.

Allowed VLAN list

The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive frames.

For a tagged frame arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native VLAN.

At an egress port, the frame tag must match the native VLAN or a VLAN on the allowed VLAN list.

Untagged VLAN list

The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit frames without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.

The untagged VLAN list applies only to egress traffic on a port.

Using the GUI

To create the VLAN:

1. Go to WiFi & Switch Controller > FortiSwitch VLANs, select Create New, and change the following settings:

   Interface Name	VLAN name
   VLAN ID	Enter a number (1-4094)
   Color	Choose a unique color for each VLAN, for ease of visual display.
   Role	Select LAN, WAN, DMZ, or Undefined. NOTE: If you are using the FortiGate unitʼs security rating feature, you need to assign a role of LAN, WAN, or DMZ to your FortiLink VLAN interfaces before referencing them in any firewall policies. If this is not done, the security rating score is lowered until the issue is remedied, due to failing the “Interface Classification” requirement.

2. Enable DHCP for IPv4 or IPv6.
3. Set the Administrative access options as required.
4. Select OK.

To assign FortiSwitch ports to the VLAN:

1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Click a port row.
3. Click the Native VLAN column in one of the selected entries to change the native VLAN.
4. Select a VLAN from the displayed list. The new value is assigned to the selected ports.
5. Click the + icon in the Allowed VLANs column to change the allowed VLANs.
6. Select one or more of the VLANs (or the value all) from the displayed list. The new value is assigned to the selected port.

Using the FortiSwitch CLI

1. Create the marketing VLAN.

   config system interface

   edit <vlan name>

   set vlanid <1-4094>

   set color <1-32>

   set interface <FortiLink-enabled interface>

   end

2. Set the VLAN’s IP address.

   config system interface

   edit <vlan name>

   set ip <IP address> <Network mask>

   end

3. Enable a DHCP server.

   config system dhcp server

   edit 1

   set default-gateway <IP address>

   set dns-service default

   set interface <vlan name>

   config ip-range

   set start-ip <IP address>

   set end-ip <IP address>

   end

   set netmask <Network mask>

   end

4. Assign ports to the VLAN.

   config switch-controller managed-switch

   edit <Switch ID>

   config ports

   edit <port name>

   set vlan <vlan name>

   set allowed-vlans <vlan name>

   or

   set allowed-vlans-all enable

   next

   end

   end

5. Assign untagged VLANs to a managed FortiSwitch port:

   config switch-controller managed-switch

   edit <managed-switch>

   config ports

   edit <port>

   set untagged-vlans <VLAN-name>

   next

   end

   next

   end

Viewing FortiSwitch VLANs

The WiFi & Switch Controller > FortiSwitch VLANs page displays VLAN information for the managed switches.

Each entry in the VLAN list displays the following information:

• Name—name of the VLAN
• VLAN ID—the VLAN number
• IP/Netmask—address and mask of the subnetwork that corresponds to this VLAN
• Access—administrative access settings for the VLAN
• Ref—number of configuration objects referencing this VLAN

Changing the VLAN configuration mode

You can change which VLANs the set allowed-vlans command affects.

If you want the set allowed-vlans command to apply to all user-defined VLANs, use the following CLI commands:

config switch-controller global

set vlan-all-mode defined

end

If you want the set allowed-vlans command to apply to all possible VLANs (1-4094), use the following CLI commands:

config switch-controller global

set vlan-all-mode all

end

NOTE: You cannot use the set vlan-all-mode all command with the set vlan-optimization enable command.

Configuring multiple managed FortiSwitch VLANs to be used in a software switch

Starting in FortiOS 7.2.0 with FortiSwitchOS 7.2.0, you can add multiple managed FortiSwitch VLANs to a software switch using the GUI or CLI. In previous releases, you could add only one managed FortiSwitch VLAN per FortiGate device to a software switch.

Traffic between two VLANs is controlled by the intra-switch-policy setting under the config system switch-interface command. By default, intra-switch-policy is set to implicit, which allows traffic between software switch members.

The FortiSwitch VLANs must be configured without IP addresses.

Using the GUI

1. Go to Network > Interfaces.

2. Create or edit a software switch interface

3. In Interface members, select multiple FortiSwitch VLANs.

4. Click OK.

Using the CLI

In the following example, you create two managed FortiSwitch VLANs and then add them to a software switch.

config system interface

edit "vlan1"

set vdom "root"

set device-identification enable

set role lan

set snmp-index 46

set interface "fortilink"

set vlanid 3501

next

edit "vlan2"

set vdom "root"

set device-identification enable

set role lan

set snmp-index 47

set interface "fortilink"

set vlanid 3502

next

end

config system switch-interface

edit "softwareswitch"

set vdom "root"

set member "vlan1" "vlan2"

next

end

Configuring inter-VLAN routing offload

Inter-VLAN routing offload requires an advanced features license. For more information, refer to Adding a license.

Starting in FortOS 7.4.1 with FortiSwitchOS 7.4.1, managed FortiSwitch units can perform inter-VLAN routing. The FortiGate device can program the FortiSwitch unit to do the layer-3 routing of trusted traffic between specific VLANs. In this case, the traffic flows are trusted by the user and do not need to be inspected by the FortiGate device.

Inter-VLAN routing offload is applied to the supported FortiSwitch model located closest to FortiGate device in the topology. Refer to the FortiLink Compatibility table to find which FortiSwitchOS models support this feature.

You can use an MCLAG with inter-VLAN routing.

To configure inter-VLAN routing offload:

1. Configure both VLANs for routing offload.

2. Configure the switches for routing offload.

Configure both VLANs for routing offload

By default, switch-controller-offload and switch-controller-offload-gw are disabled.

The switch-controller-offload-ip option is available only when switch-controller-offload is enabled.

The set allowaccess ping command is configured automatically if it is not already specified.

Enable switch-controller-offload-gw on a single VLAN interface. The clients can use the offload IP addresses (configured in the set switch-controller-offload-ip command) as the default gateway, which is executed on the FortiSwitch unit. If you are using a DHCP server on the offloaded FortiSwitch VLANs, adjust the DHCP gateway address to match the switch-controller-offload-ip address.

config system interface

edit <VLAN_name>

set ip <IP_address_netmask>

set switch-controller-offload {enable | disable}

set switch-controller-offload-ip <IP_address>

set switch-controller-offload-gw {enable | disable}

next

end

Configure the switches for routing offload

By default, route-offload and route-offload-mclag are disabled.

When you have an MCLAG configured, you need to enable route-offload-mclag and configure config route-offload.

The config route-offload commands are available only when route-offload-mclag is enabled.

Use router-ip to specify the router IP address for VRRP.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set route-offload {enable | disable}

set route-offload-mclag {enable | disable}

config route-offload

edit <VLAN_name_1>

set router-ip <IP_address_1>

next

edit <VLAN_name_2>

set router-ip <IP_address_2>

next

end

next

end

Configuration example

The following example shows how the default routing between Host A and Host B uses the active FortiGate device in HA mode. When inter-VLAN routing is enabled, VLAN10 on Host A routes through FortiSwitch 3, FortiSwitch 1, FortiSwitch 2, and FortiSwitch 5 to VLAN 20 on Host B.

1. Configure both VLANs for routing offloading

   config system interface

   edit "vlan.10"

   set ip 192.168.10.1/24

   set switch-controller-offload enable

   set switch-controller-offload-ip 192.168.10.2

   set switch-controller-offload-gw enable

   next

   edit "vlan.20"

   set ip 192.168.20.1/24

   set switch-controller-offload enable

   set switch-controller-offload-ip 192.168.20.2

   next

   end

2. Configure FortiSwitch 1 to route to Host A and Host B. Because this example uses MCLAG, you need to enable route-offload-mclag and configure config route-offload.

   config switch-controller managed-switch

   edit ST1E24TF21000347

   set route-offload enable

   set route-offload-mclag enable

   config route-offload

   edit "vlan.10"

   set router-ip 192.168.10.3

   next

   edit "vlan.20"

   set router-ip 192.168.20.3

   next

   end

   next

   end

3. Configure FortiSwitch 2 to route to route to Host A and Host B. Because this example uses MCLAG, you need to enable route-offload-mclag and configure config route-offload.

   config switch-controller managed-switch

   edit ST1E24TF21000408

   set route-offload enable

   set route-offload-mclag enable

   config route-offload

   edit "vlan.10"

   set router-ip 192.168.10.4

   next

   edit "vlan.20"

   set router-ip 192.168.20.4

   next

   end

   next

   end

When inter-VLAN routing is enabled on a VLAN, the FortiGate device configures the following on a FortiSwitch unit:

• A switch virtual interface (SVI) for each FortiSwitch VLAN, configured with the switch-controller-offload-ip address.

• A default route in vrf1:

  • with the gateway set to the IP address on the FortiGate device of the VLAN with switch-controller-offload-gw enabled

  • with set gw-l2-switch enabled to forward packets to the FortiGate device without modifying the VLAN and source MAC address