FortiSwitch VLAN Configuration CLI: A Technical Investigation into Enterprise Network Segmentation

January 31, 2026.

Master FortiSwitch VLAN configuration CLI: native VLANs, tagged ports, FortiLink integration, and advanced CLI syntax for secure network segmentation.

The Architecture of Control: How FortiSwitch VLANs Operate at the Command Line

Virtual Local Area Networks represent the foundational mechanism for segmenting enterprise traffic, and FortiSwitch implements this capability through a hierarchical CLI structure that demands precision. The system supports VLAN identifiers ranging from 1 to 4094, with capacity for up to 1,023 user-defined VLANs per managed deployment. Each port operates under three distinct VLAN parameters: the native VLAN processes untagged ingress frames, the allowed VLAN list governs which tagged frames traverse the port, and the untagged VLAN list determines which egress frames shed their 802.1Q headers.

This tripartite model creates a flexible but unforgiving configuration environment. Misalignment between these parameters produces silent failures—traffic drops without error messages, connectivity vanishes without log entries. The investigative question becomes: what CLI sequences reliably produce the intended network behavior?

Core CLI Syntax: Building VLANs from the Ground Up

Interface Creation and Addressing

VLAN configuration begins at the system interface level. Administrators initiate the process with the config system interface context, then define the logical interface:

config system interface     edit "VLAN_Marketing"         set vlanid 100         set color 5         set interface "fortilink"         set ip 192.168.100.1 255.255.255.0     next end 

The vlanid parameter accepts values 1-4094, while the interface directive binds the VLAN to a FortiLink-enabled physical or aggregate port. IP addressing follows standard CIDR notation; omitting this step creates a layer-2-only VLAN requiring external routing.

DHCP Server Integration

For automated address assignment, the DHCP server configuration nests within the VLAN context:

config system dhcp server     edit 1         set interface "VLAN_Marketing"         set default-gateway 192.168.100.1         set dns-service default         config ip-range             edit 1                 set start-ip 192.168.100.10                 set end-ip 192.168.100.200             next         end         set netmask 255.255.255.0     next end 

This sequence establishes the VLAN as a routable subnet with automated client provisioning—a critical requirement for scalable deployments.

Port Assignment: The Critical Link Between Logic and Physical Infrastructure

Native and Allowed VLAN Configuration

Port-level VLAN assignment occurs within the managed-switch context, requiring the target switch's serial identifier:

config switch-controller managed-switch     edit "FS1D483Z15000036"         config ports             edit "port1"                 set vlan "VLAN_Marketing"                 set allowed-vlans "VLAN_Marketing"             next         end     next end 

The set vlan directive establishes the native VLAN for untagged ingress traffic. The allowed-vlans parameter functions as a whitelist; frames bearing tags outside this list face immediate discard. For trunk ports carrying multiple VLANs, administrators may substitute set allowed-vlans-all enable to permit the full 1-4094 range, though this approach sacrifices the principle of least privilege.

Untagged Egress Behavior

The untagged-vlans parameter controls egress frame formatting:

config switch-controller managed-switch     edit "FS1D483Z15000036"         config ports             edit "port1"                 set untagged-vlans "VLAN_Marketing"             next         end     next end 

Any VLAN listed here must also appear in the allowed-vlans set—a constraint that prevents configuration contradictions. This mechanism enables legacy device support where endpoints cannot process 802.1Q tags.

Advanced Configuration Modes and Operational Considerations

VLAN Scope Management

The global vlan-all-mode setting determines how allowed-vlans interprets the all keyword:

config switch-controller global     set vlan-all-mode defined end 

When set to defined, the all keyword references only user-created VLANs; when set to all, it encompasses the entire 1-4094 range. This distinction matters for security posture: the defined mode enforces explicit authorization, while all risks unintended VLAN exposure.

Access VLAN Isolation

For scenarios requiring client-to-FortiGate communication only—blocking direct inter-client traffic at layer 2—the switch-controller-access-vlan parameter provides isolation:

config system interface     edit "VLAN_Secure"         set switch-controller-access-vlan enable     next end 

This configuration forces all client traffic through the FortiGate for policy enforcement before permitting inter-VLAN routing. Note that proxy ARP configuration becomes mandatory when enabling this feature.

Inter-VLAN Routing Offload

Advanced deployments may leverage hardware-based inter-VLAN routing on supported FortiSwitch models. This feature offloads trusted traffic forwarding from the FortiGate to the switch ASIC:

config system interface     edit "vlan.10"         set switch-controller-offload enable         set switch-controller-offload-ip 192.168.10.2         set switch-controller-offload-gw enable     next end 

The switch-controller-offload-ip becomes the layer-3 gateway address programmed into the switch hardware, while switch-controller-offload-gw designates which VLAN interface provides the default route. This capability requires an advanced features license and careful topology planning.

Verification and Troubleshooting Methodologies

Effective VLAN deployment demands systematic validation. Key diagnostic commands include:

• show switch-controller managed-switch — displays port VLAN assignments across all managed units
• diagnose switch-controller dump lldp neighbors-detail <switch> — verifies layer-2 adjacency and VLAN propagation
• show system interface <vlan_name> — confirms interface status, IP configuration, and access settings

When connectivity fails, investigators should first verify that the VLAN appears in both the allowed and untagged lists where appropriate, then confirm that the native VLAN matches on both ends of trunk links. Silent drops often trace to mismatched native VLAN configurations or missing entries in the allowed-vlans whitelist.

Frequently Asked Questions

What happens if a frame's VLAN tag is not in the port's allowed-vlans list?
The switch discards the frame immediately at ingress. No log entry is generated by default, making this a common source of "invisible" connectivity failures.

Can a VLAN appear in the untagged-vlans list without being in allowed-vlans?
No. The configuration CLI enforces this dependency; attempting to set an untagged VLAN that is not allowed will either fail or produce undefined behavior depending on firmware version.

How do I configure a trunk port carrying multiple tagged VLANs plus one untagged native VLAN?
Set the native VLAN with set vlan, list all carried VLANs in set allowed-vlans (comma-separated or using all), and specify only the native VLAN in set untagged-vlans.

Does enabling switch-controller-access-vlan affect management traffic to the FortiSwitch itself?
No. Management traffic via the FortiLink control channel operates independently of data-plane access VLAN settings. Only client-originated traffic experiences the isolation.

What is the maximum number of VLANs a single FortiSwitch port can carry?
The allowed-vlans list supports up to 1,023 user-defined VLANs simultaneously, constrained by the system-wide limit rather than per-port capacity.