Technical Tip: Transparent mode best practices

Description

This article applies to the FortiGate deployed in the transparent operating mode.

Scope

FortiGate.

Solution

Here are some points to consider for transparent mode FortiGate deployment to prevent layer 2 mess-ups.

• Do not connect two ports to the same VLAN on a switch or to the same hub. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN.
• If multiple VLANs are operated on the FortiGate, assign each VLAN ID to its own forwarding domain to ensure that the scope of the broadcast does not extend beyond the VLAN it originated in.

To protect against Layer 2 loops.

• Enable STP (set stpforward enable) forward on all interfaces.
• Use separate VDOMs for production traffic (TP mode VDOM) and management traffic (NAT mode VDOM).
• Only place those interfaces used for production in the TP mode VDOM. Place all other interfaces in the NAT mode VDOM. This protects against potential Layer 2 loops.