" Untagged on the switch means all packets will be tagged with vid 100 regardless which vid they had originally. "
Yes and No ....
When an untagged ethernet frame enters the switch the PVID / Private VLAN ID set on the switch port determines the vlan that the switch will place onto the ethernet frame inside the switch.
When an ethernet frame exist the switch the mode set on the switch port determines if the vlan tag should be removed yes or no , aka (keep) tag or untag.
When placing the switch port to the mode untag, the client device does not get a vlan tagged ethernet frame. (Else we would need al devces to understand vlan tagging.)
Inside the switch ALL frames are tagged by either the PVID or the vlan tag itself.
Outside the switch is determined by the setting of the switch port.
Per switch port you usually have three options
combined (hybrid / ....)
The PVID determines what the switch should do with incoming untagged frames. Even is the port is set to tagged only.
Depending on the switch you might need to set the switch port to both vlan X untagged and PVID X to the same value. Remember PVID is in, untag is out. These are normally the same else you would end up with some funky behaviour.
Usually when you specify a switchport to be untagged only the PVID of that port automatically gets set to the same value, but you might want to check that as these can differ !
For tagged only you do not specify the untagged vlan , but you might/optionally need to specificy a PVID anyway.
A common practice I use for tagged only ports is to set a PVID that is bogus (example 999) and not use that for any actual vlan. Any untagged ethernet frame entering this switch port will get a vlan tag 999 when entering the switch.
But if there are no ports with tag or untag vlan tag 999, this ethernet frame will never exit the switch and gets dropped.
You can combine one untagged vlan with multiple tagged vlans, which is often called a hybrid port.
For the tagged vlans you don't need to do anything special, just set them to tagged. This will make the switch port accept and send frames according to these vlans with the vlan tag intact when exiting the switch.
The untagged vlan you want to use on this combined port should be set to the same untagged and PVID as mentioned with the untagged only port.
For an untagged only connection between the fortigate and the switch you do not have to create vlan/sub interfaces on the fortigate. The fortigate is basically the same as any other client.
For a tagged only connection between the fortigate and the switch you will have to create vlan/sub interface on the fortigate with the correct vlan id. You can create multiple vlan/sub interfaces with different tagged vlan ids.
For a combined/ybrid connection between the fortigate and the switch you can use both the native interface, with the switch port set to the proper PVID and untag vlan, and vlan/sub interfaces for the different tagged vlan ids.
I hope this has cleared things up :)
switch PVID determines tagging of untagged frames entering the switch.
switch PVID should normally be set to switch port vlan untag.
switch port vlan untag , frames exiting switch will have vlan tag removed, use native interface on fortigate
switch port vlan tag, frames exiting switch will have vlan tag , use vlan/sub interfaces on fortigate
switch port hybrid, mix these up
post edited by dennisv - 2019/07/10 02:00:23