Home

FortiSwitch VLAN Configuration: Complete Guide from Basics to Advanced Features

.

Virtual Local Area Networks (VLANs) represent a fundamental building block in modern network design, allowing logical segmentation of physical networks into distinct broadcast domains. When working within the Fortinet ecosystem, particularly with FortiGate-managed FortiSwitch deployments, understanding the nuances of VLAN configuration is essential for optimizing security, performance, and manageability.

This comprehensive guide synthesizes official Fortinet documentation and real-world community insights to provide a complete roadmap for configuring VLANs on FortiSwitch devices, whether you're using FortiGate, FortiSwitch Manager, or standalone FortiSwitch units.

Understanding FortiSwitch VLAN Configuration Methods

One of the most common points of confusion among Fortinet administrators is the dual-path approach to VLAN configuration evident in the FortiOS interface. As highlighted in community discussions, when working with a FortiGate managing FortiSwitch units, you'll encounter two distinct sections for VLAN creation:

  • Network Interface VLANs: Found under Network > Interfaces, these are traditional VLAN interfaces used primarily for routing and firewall policy application on the FortiGate itself.
  • FortiSwitch VLANs: Located under WiFi & Switch Controller > FortiSwitch VLANs (or Switch Controller > FortiSwitch VLANs in FortiSwitch Manager), these are switch-specific VLAN configurations that propagate to managed FortiSwitch devices.

A critical distinction exists between these approaches. VLANs created in the Network interface settings do not automatically appear in the FortiSwitch VLAN section, yet the system maintains awareness of their existence, preventing duplicate naming. The standard Fortinet method for switch-connected VLANs is through the FortiSwitch VLANs section, as this allows centralized management and propagation of VLAN configurations to all managed switches.

Step-by-Step VLAN Configuration Procedures

Creating VLANs via Graphical Interface

The process for creating VLANs remains consistent across FortiGate and FortiSwitch Manager interfaces:

  1. Navigate to WiFi & Switch Controller > FortiSwitch VLANs (FortiGate) or Switch Controller > FortiSwitch VLANs (FortiSwitch Manager)
  2. Select Create New and configure the following parameters:
    • Interface Name/VLAN Name: A descriptive identifier for the VLAN
    • VLAN ID: A unique number between 1-4094
    • Color: Visual differentiation (helpful in large deployments)
    • Role: LAN, WAN, DMZ, or Undefined (affects security rating scoring)
  3. Configure optional settings including DHCP services and administrative access controls
  4. Select OK to create the VLAN

Assigning Ports to VLANs

Once VLANs are created, ports must be properly assigned:

  1. Navigate to WiFi & Switch Controller > FortiSwitch Ports or Switch Controller > FortiSwitch Ports
  2. Select the target port or ports
  3. Configure the following critical settings:
    • Native VLAN: Functions as the default VLAN for untagged incoming traffic
    • Allowed VLANs: Specifies which VLANs the port can transmit/receive
    • Untagged VLANs: Determines which VLAN traffic egresses without VLAN tags

Core VLAN Concepts and Port Configuration

Native VLAN: The Default Untagged Handler

The native VLAN configuration on each port handles untagged incoming frames. When untagged traffic arrives at an ingress port, it's automatically assigned to the native VLAN. Correspondingly, when traffic egresses on the native VLAN, the VLAN header is stripped, sending it as untagged traffic. This is particularly important for devices that don't support VLAN tagging.

Allowed VLAN List: Traffic Control Gateway

The allowed VLAN list represents a critical security and traffic shaping mechanism. It acts as a filter determining which VLANs can send or receive frames through a particular port:

  • For tagged frames arriving at an ingress port, the tag must match either the native VLAN or a VLAN on the allowed list
  • For frames egressing a port, the tag must similarly match the native VLAN or an allowed VLAN
  • The command set allowed-vlans-all enable can be used to permit all VLANs (1-4094) when needed

Untagged VLAN List: Egress Traffic Management

The untagged VLAN list specifically controls which VLAN traffic exits a port without VLAN tags. Any VLAN included in the untagged list must also be present in the allowed VLAN list. This setting applies exclusively to egress traffic and is commonly used for connecting to devices that cannot process VLAN tags.

Advanced VLAN Configuration Features

Multiple VLANs in Software Switches

Starting with FortiOS 7.2.0 and FortiSwitchOS 7.2.0, administrators can add multiple managed FortiSwitch VLANs to a single software switch interface. This represents a significant enhancement over previous limitations that restricted configurations to only one managed FortiSwitch VLAN per FortiGate device. The intra-switch-policy setting (default: implicit) controls traffic flow between software switch members.

Inter-VLAN Routing Offload

For organizations requiring high-performance inter-VLAN routing without FortiGate inspection for trusted traffic, inter-VLAN routing offload (available from FortiOS 7.4.1 with FortiSwitchOS 7.4.1) enables supported FortiSwitch models to perform layer-3 routing directly. This feature requires an advanced features license and offers substantial performance benefits for specific traffic flows.

Configuration involves enabling switch-controller-offload on VLAN interfaces and route-offload on managed switches, with specific MCLAG considerations for redundant topologies. When configured, the FortiGate programs the FortiSwitch with switch virtual interfaces (SVIs) and appropriate routing directives to handle specified inter-VLAN traffic locally on the switch fabric.

VLAN Configuration Mode Options

Administrators can tailor VLAN behavior through the vlan-all-mode setting, which controls how the set allowed-vlans command functions:

  • set vlan-all-mode defined: Applies to all user-defined VLANs
  • set vlan-all-mode all: Applies to all possible VLANs (1-4094)

Note that the all mode cannot be used simultaneously with VLAN optimization (set vlan-optimization enable).

Troubleshooting Common VLAN Issues

Allowed VLAN Configuration Problems

Community discussions reveal a recurring issue where allowed VLAN configurations fail to pass traffic as expected. One administrator noted: "Native VLAN assigned to any ports are working fine & able to reach the internet... The Allowed VLANs & Untagged VLANs are not working and not able to reach the internet."

The resolution typically involves several verification steps:

  1. Ensure upstream and downstream devices are properly configured to tag traffic for non-native VLANs
  2. Confirm firewall policies exist for inter-VLAN routing or internet access for the VLAN in question
  3. Verify that the VLAN interface has proper IP configuration and routing settings
  4. Check that the uplink port configuration includes the VLAN in its allowed VLAN list

Configuration Consistency Checks

A fundamental principle in VLAN troubleshooting is configuration consistency across the network path. As highlighted in community responses: "If you set vlan 200 untagged on the port you will also need to change the native vlan to 200 - you cannot have a mismatch."

Similarly, when configuring allowed VLANs, corresponding configurations must exist on connected devices. For instance, if a port allows VLAN 200 traffic, any device sending VLAN 200 traffic to that port must tag it appropriately, unless VLAN 200 is configured as untagged on that port.

Frequently Asked Questions

What's the difference between creating VLANs under Network Interfaces vs. FortiSwitch VLANs?

VLANs created under Network Interfaces are primarily for the FortiGate's routing and firewall policy application, while VLANs created in the FortiSwitch VLANs section are specifically for propagation to managed switches. For switch-connected devices, the FortiSwitch VLANs method is recommended as it enables centralized switch management.

Why don't my allowed VLANs work even though my native VLAN functions perfectly?

This common issue typically stems from incomplete path configuration. Ensure that: 1) The VLAN is allowed on all intermediate ports including uplinks, 2) Firewall policies exist permitting traffic for the VLAN, 3) Connected devices are properly configured to tag traffic for non-native VLANs, and 4) The VLAN interface has correct IP configuration.

Can I use both tagged and untagged VLANs on the same FortiSwitch port?

Yes, FortiSwitch ports support mixed tagging configurations. Configure a native VLAN for untagged traffic, specify allowed VLANs for tagged traffic, and if needed, define untagged VLANs for specific egress traffic. Remember that any untagged VLAN must also be in the allowed VLAN list.

How do I configure a trunk port on a FortiSwitch managed by FortiGate?

Configure a trunk port by setting the allowed VLANs to include all VLANs that should traverse the trunk (or use set allowed-vlans-all enable), and ensure the native VLAN matches on both ends of the trunk connection. Trunk configuration occurs in the FortiSwitch Ports section, not in Network Interfaces.

What are the licensing requirements for inter-VLAN routing offload?

Inter-VLAN routing offload requires an advanced features license on supported FortiSwitch models. Consult the FortiLink Compatibility table for specific model support. This feature enables selected traffic to bypass FortiGate inspection while maintaining routing functionality directly on the switch.

How many VLANs can I configure on FortiSwitch units?

The documentation indicates support for up to 1,023 user-defined VLANs on FortiSwitch units, with VLAN IDs ranging from 1-4095. Actual performance limits may vary based on specific switch models and configurations.

Best Practices for FortiSwitch VLAN Deployment

  1. Maintain consistent naming conventions across your deployment to simplify management
  2. Document VLAN-to-function mappings thoroughly, especially in complex environments
  3. Regularly audit port configurations to ensure compliance with security policies
  4. Test inter-VLAN firewall policies thoroughly during implementation
  5. Consider future scalability when allocating VLAN ID ranges for different departments or functions
  6. Utilize color coding in the GUI for visual VLAN differentiation in complex topologies

FortiSwitch VLAN configuration, while initially complex due to multiple configuration paths, offers powerful network segmentation capabilities when properly implemented. By understanding the distinction between FortiGate and FortiSwitch VLAN contexts, mastering port configuration parameters, and leveraging advanced features like routing offload where appropriate, administrators can build secure, high-performance network infrastructures that align with modern security requirements.