Skip to content

Add a VLAN Sub-Interface

A VLAN lets you carry multiple logical networks over a single physical port. The FortiGate "tags" outgoing frames with a VLAN ID (an 802.1Q tag) and reads tags on incoming frames to know which VLAN they belong to. Each VLAN appears in FortiOS as its own sub-interface (with its own IP, firewall policies, etc.).

Use VLANs when you want to segment networks (Sales / Engineering / Guest / IoT) without running separate cables.

Before You Start

  • The upstream switch supports VLANs (any managed switch does) and the trunk port is configured to send/receive the VLAN tags you'll use.
  • You know the VLAN IDs you'll create (e.g. 10, 20, 100).
  • The physical port that will carry the tagged traffic — typically a port connected to a trunk port on the switch.

Steps

  1. Network → Interfaces → + Create New → Interface.
  2. Fill in:
    • Name — e.g. sales-vlan. Keep it short; this is the FortiOS interface name you'll reference elsewhere.
    • Alias — friendly label, e.g. Sales LAN.
    • TypeVLAN.
    • Interface — pick the physical parent port (e.g. port5).
    • VLAN ID — the tag number (e.g. 10).
    • Role — usually LAN.
    • Addressing modeManual, set IP/netmask for this VLAN's gateway (e.g. 10.0.10.1/24).
    • Administrative AccessPING typical, HTTPS/SSH if you want to manage from this VLAN.
    • DHCP Server — usually enabled with a scope appropriate to the VLAN.
    • Device DetectionEnabled.
  3. Click OK.

CLI Equivalent

config system interface
edit sales-vlan
    set vdom root
    set ip 10.0.10.1 255.255.255.0
    set allowaccess ping https
    set role lan
    set interface port5
    set vlanid 10
next
end

Verify

get system interface
# Look for sales-vlan in the list with status=up and the IP you set.

diagnose hardware deviceinfo nic port5
# Confirms port5 is the parent and shows VLAN tag handling.

From a client device on the VLAN, ping the gateway IP you assigned. Should respond.

Common Issues

  • VLAN comes up but client can't reach gateway. Switch port isn't trunked for this VLAN. Check switch config — the port FortiGate is plugged into must allow VLAN 10 (tagged) and the client's port must be access for VLAN 10 (untagged).
  • Wrong VLAN ID. Mismatched on switch vs FortiGate. Confirm both sides.
  • MTU issues / fragmentation. VLAN tagging eats 4 bytes. If MTU on the path is at the limit, set FortiGate's interface MTU to 1496 (1500 - 4) or align with the rest of the network.
  • Multiple VLANs on same physical port, only one works. Trunk on switch is "access" mode for one VLAN. Switch port must be "trunk" mode with all required VLANs allowed.