- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Add VLAN sub interfaces to a fisical interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add VLAN sub interfaces to a fisical interface
Hi
Right now i have a network in production with no VLANS, a change in circunstances force me to create several VLANS to better segment our network and improve our security.
My question is:
Can i add VLAN Sub interfaces to our, currently in production, VLANless physical interface without consequences or should i create a new interface for the previous physical interface (for example as VLAN 1 or native) beside the new ones with the issues this will bring (DHCP among others)?
Thank in advance
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I answered to your question on a different thread. Please avoid cross-threads for the same issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi
I ask you to forgiveme .
It is not quite the same question, this question is about leave everything as it is and add VLAN interfaces over my current interface. The other question was about move a physical interface to a VLAN interface in a manner that do not require to rebuild everything.
Thanks for your comprension.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Definitely you can but I'm wondering how did you configure the other end? If it's another Fortigate, it should be ok. If it's a switch, trunk or access mode?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All my network runs in the native (VLAN 1) VLAN in switchs HP. This is something i need to change but i am affraid to do it over a production network with a bunch of devices. I need that everything keep working while i'm implementing the VLANs.
This is the info you needed?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply!
I understand all your network is running within native vlan. But if you need to create a new vlan interface, you need to make sure the port on your HP switch can accept it's vlanid. therefore, it should be in trunking mode.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your situation, I would create a second trunk interface, define all of your VLANs there, then move devices to the new VLAN (and trunk) after testing the link with a test device on that VLAN for connectivity. Once you are sure the switches route correctly to the 40gate, then flip the port (on the switch) that the server is on to the confirmed good VLAN. This can be done on a machine by machine basis. No big forklift overhaul and you don't affect the running environment until you move that single device.
My two cents
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ericcli
Yes, i'm pretty sure HP switchs (1920 most of them, some 1910) are able to accept vlans id.
I don't think HP switchs, at least not 1920s, use the "trunk" concept as in the Cisco world, in HP the vlans are tagged or untagged for a particular interface. So i should configure the required VLANs in all my switchs, configure the respective VLAN in each port as tagged and in the "trunk" interface i should add as tagged all VLANs that are going to pass through the interface to the next device or router, am i right?
If i add a vlan interface to the physical interface but i don't have configured vlans in the switchs it won't cause any problems to currently running network, do you agree?, or is it i should first and foremost setup vlans in the switchs?, i know i will have to do it eventually, but can i add the vlan interface to the physical interface without causing any interruptions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add VLANS sub-interfaces to the physical interfaces without any problem, in fact they will not work because you have to add a policies to be able to move traffic.
1- Create Vlans in your switch.
2- Allow vlans to move across the trunk port.
3-Create sub-interfaces in FTG port (set vlanid, set allowaccess, set ip, set interface .....) do not use vlanid 1 unless you have changed the native vlan in your switch to something different than 1.
4- add policies to allow vlans to route the traffics (you can use zone to combine them to reduce the number of policies id).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally its not a good idea to use vid 1 because on many managaeable switches this is the default vid and might screw your networking in consequence.
So better use something else on your FGT to create virtual vlan interfaces. Then they will not interfere with your productive networking so far. You will of course need policies on your FGT for your vlans and you will have to do Port-Vlan-Setup on your switches to distribute your vlans further.
Vlan interfaces on a FGT are btw always untagged in that vlans - i.e. packets that go out via the vlan interface will be tagged with its vid by the FGT even if they are already tagged. On most Switches you can choose if you want the port tagged/untagged or more options.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- SD-WAN and none interface 92 Views
- Can't ping from "Registration IP" to... 131 Views
- Windows Deployment Services not working in... 133 Views
- FortiGate GRE Tunnel with Dynamically obtain... 117 Views
- Physical AP error on deleting WLAN... 166 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.