FortiSwitch VLANs

What the heck are Native and Allowed VLANs?

In the FortiSwitch Management, for Ports and Trunks, it shows Native VLAN and Allowed VLANs. This was new terminology for me. Other switches I’ve used in the past have had either Tagged or Untagged.

If you look in the CLI, you can also assign an Untagged VLAN to ports…

How do you modify the VLANs in the GUI?

Quick note, to change the VLAN in the GUI, find the port, put your mouse over the table cell for the port and VLAN type you want to change, then click the Pencil icon that will show up in the top right of the cell.
This will open a menu where you can select the new settings you want.

If you want to change multiple ports at the same time, you can use the Shift-Click, or the Control/Command-Click multiple select methods. In case these terms are not familiar (I may have them wrong), to select a continuous range, click the first in the range, hold shift and click the last in the range. To select multiple, but not continuous, click the first port, hold Control (on Windows) or Command (on Mac) then click the next port, hold the keyboard button again and click the third, repeat until all required selections are made.

Native VLAN

This is sort of like Untagged. As packets ingress into the switch, if they have no tag, the FortiSwitch assigns the Native VLAN as a tag. As packets leave switch ports, if their tag matches the Native VLAN the packet is sent with out without a tag. It takes untagged traffic, assigns it a tag, moves it through the network and potentially untags it.

Allowed VLAN

The Allowed VLANs are a list of VLAN IDs that the switch will accept (ingress) or transmit (egress) for that port. The Native VLAN is on this list implicitly, so it doesn’t need to be added. This is like Tagged ports on another vendor’s gear.

Can I put the Native VLAN in the Allowed VLAN list?

I’ve tested this on 6.4.6 and 6.4.7 in the GUI - no. When modifying the Allowed VLAN list, it doesn’t include the VLAN currently assigned as Native VLAN.

What is the underlying model here?

Here’s my speculation - I don’t think this is in the docs (I can’t find it). The Fortinet VLAN model is that all packets should have a tag while they are moving through the FortiSwitches. This is why Untagged is hidden on the CLI and the Native VLAN tag gets added on ingress to untagged packets. Also, the Untagged VLAN option only applies on Egress.
I don’t see anything wrong with having all packets tagged as they move through the switch, but this was new to me. I did the CCNA course a long, long time ago. I don’t recall Native VLANs from it. I don’t recall them coming up when I was prepping for the Brocade cert I took (merely a long time ago). It would have simplified my understanding of the terminology if this model had been presented first.

comments powered by Disqus