Skip to content

Configure VLANs on a FortiSwitch

Once a FortiSwitch is managed via FortiLink, VLAN config is done from the FortiGate. Assign VLANs to switch ports (access or trunk), and the FortiSwitch enforces 802.1Q tagging.

Before You Start

  • The FortiSwitch is authorized and online (see Set Up FortiLink).
  • Plan your VLAN scheme: which ports are access (untagged for one VLAN) vs trunk (tagged for multiple).
  • VLAN IDs you'll use exist on the FortiGate side too (so the FortiGate can route between them).

Steps

Create the VLAN on the FortiGate

If you haven't already, create the VLAN sub-interface on the FortiGate that owns the FortiLink port. See Add a VLAN Sub-Interface.

Assign ports to VLAN (access mode)

  1. WiFi & Switch Controller → FortiSwitch Ports.
  2. Click the port you want to be access-mode for a specific VLAN.
  3. Fill in:
    • Native VLAN — the VLAN that's untagged on this port (the access VLAN).
    • Allowed VLANs — for access ports, just the native VLAN.
  4. OK.

Configure a trunk port

For a port that carries multiple tagged VLANs (e.g. to another switch or AP):

  1. FortiSwitch Ports → click port.
  2. Native VLAN — the VLAN that's untagged.
  3. Allowed VLANs — tagged VLANs (e.g. 10 20 30).
  4. OK.

Bulk-assign

Select multiple ports → Edit → apply same VLAN config to all.

📸 Screenshot needed

FortiSwitch Ports view showing a switch with various ports assigned to different VLANs, with the per-port edit dialog open.

CLI Equivalent

config switch-controller managed-switch
edit "S108EXXXXXXXXX"
    config ports
        edit "port5"
            set vlan "sales-vlan"   # Access mode for sales VLAN
        next
        edit "port6"
            set vlan "internal"     # Native VLAN
            set allowed-vlans "sales-vlan engineering-vlan"  # Tagged trunk
        next
    end
next
end

Verify

diagnose switch-controller switch-info port-stats

From a client plugged into a port: - If access mode: client should pick up DHCP from the assigned VLAN's scope. - If trunk: switch upstream should see correct VLAN tags on incoming frames.

Common Issues

  • Client gets wrong IP. Wrong VLAN assigned to port. Re-check.
  • No DHCP at all. VLAN not configured on FortiGate (only on switch).
  • Trunk to upstream switch broken. Switches disagree on which VLANs are tagged. Match config on both sides.
  • Tagged client devices. Some VoIP phones tag their own traffic — set Native + Allowed appropriately.