Skip to main content
jcarlilesiu
jcarlilesiu
New Member
August 15, 2025
Question

Expanding Network Topology/Configuration Help

  • August 15, 2025
  • 2 replies
  • 553 views

All,

 

We are a self managed small but growing design practice utilizing a FortiGate 60E in our file server.  Our office is expanding to the floor above our current space.  We currently have the following hardware in our rack:

 

- Apple Mac Pro (Mostly a mac environment)

- FortiGate 60E

- Cisco SG200-50P Switch

- Comcast Router

- 4G Cellular Failover Router

- Sonnett Tech Echo (NAS)

- Security Camera Headunit

 

Everything else is just monitor, keyboard, battery backup etc.  We are expanding to the second floor and will be moving both the Mac Pro and the NAS upstairs.  We purchased another Cisco SG200-50P for upstairs switching. 

 

Currently, the Comcast Router (WAN1) and 4G Router (WAN2) are connected to the FortiGate which then routes to the Cisco Switch.  We are currently utilizing about 32 ports which is a mixture of data only endpoints and some VOIP endpoints.  We additionally have a UniFi software controller and a couple of WAPs serving internal staff and a client/guest network. 

 

The format of endpoints will be likely the same upstairs. 

 

From a network perspective, we have our LAN1 (internal), VLAN43 (VOIP), and VLAN100 (guest/wifi).  We have the two WANs above, and use SSL VPN for our field staff.  We have the following firewall policies in place (though I think some of them are unused):

 

Screenshot 2025-08-15 at 2.31.59 PM.png 

Im simply trying to figure out the best way to expand the network upstairs in both the best practices method as well as what's easiest.  The new rack is going directly above the current one. 

 

I think simply using another internal port on the FortiGate to the switch upstairs would be acceptable, putting both switches on their own VLAN (VLAN 1 & 43 downstairs and VLAN 2 & 44 upstairs)?  With all endpoints connected through a patchpanel to their respective switch on each floor?

 

In total, we will have about 20 users and likely about 60 total across the network?

 

Is there any inherent downside to this plan?  Better way to do it?  I appreciate any help you can provide. 

 

Im simply trying to figure out the 

 

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
August 16, 2025

not sure how you could find a "new" SG200-50P, which was discontinued about 7 years ago. But that would be the weakest link in your line up of the network gears. The 60E's EOS(End of support, most call it as EOL) is coming up next year too.

Unless you need to have a completely new set/functions upstairs and exhausting IPs in the subnets, extending the existing VLANs to there would be the easiest option as you know already since basically you don't have to change anything on the FGT. 
If the new port on the FGT you're thinking now to connect to the upstairs switch is a part of the hardware switch (default is "internal") with the existing port connected to the current switch, literately no change on the FGT is needed. All VLANs would be spanned to the new switch as soon as you hook it up.
However, if the new port is not a part of the hardware switch (you must have removed it before from "internal" if that's the case), either you have to cascade the new switch from the current switch or put the new port back in the same hardware switch (again likely "internal").

But if you can afford, I would suggest you get a better/more recent switch (cisco migrated SG200->SG250->CBS250->and now Catalyst1200) to have a fresh start.

Toshi 

jcarlilesiu
jcarlilesiuAuthor
New Member
August 21, 2025

Hi Toshi, thanks for the response.  You are correct, this isn't a new switch but a match to the one we already had.  While we are aware that the 60E and the switches are EOL, the cost of building out the second floor mandates postponing updating equipment at this moment.  Hopefully soon. 

 

Thanks for your advice on simply extending current functions upstairs.  Yes, that's what we want to do.  I simply need a switch up there for the patchpanel to support new endpoints.  No, we are no where near exhausting IPs on the subnet. 

 

The confusion is, I did exactly what you said and plugged the new switch into the available port on the FTG.  I was able to see the device come online by monitoring devices on the FTG.  The problem is, I think it shared the IP address of the original switch, disallowing me from accessing it's web interface.  Like there was a duplicate IP.  Now, I have since unplugged the new switch from the FTG, yet the original switch still isn't appearing on my device list like there is no IP assigned to it. 

 

I am also no longer able to access the original switch through the interface.  Directing to the last known IP is giving me a no-page found issue. 

 

The switch is still pass traffic. 

 

If I want to do as you said, was there some step I missed before hooking up the new switch potentially creating an IP duplication issue?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
August 21, 2025

Would it work if you connect the new switch behind a current switch's trunk port? In other words, cascading it?

Toshi 

Terms & ConditionsAccessibility statement