Skip to main content
Gustav
Gustav
New Member
December 31, 2020
Question

Fortigate with multiple dhcp pools on one interface

  • December 31, 2020
  • 1 reply
  • 18051 views
Hi, I have the following escenario: a fortigate 200E which handles internet access for all the internal network, 3 distribution L3 switches and several access switches. There are several vlans (around 20) and we want the fortigate to handle dhcp and internet access only, leaving the intervlan routing to the L3 switches. The fortigate has a connection to two of the L3 switches, and I know one interface can be configured as a dhcp server with mutiple ip pools through the cli, instead of creating a svi for each vlan and configuring dhcp for each (which we don't want to*). The links between the fortigate and the switches would be in a separate "internet access" vlan. What I want to know is this: with this scenario, is it still possible to configure policies separately for each vlan, despite all of them ultimately reaching the fortigate routed through the "internet access" vlan? * From what I understand, if I configure the svi's on the Fortigate but let the L3 switches be the gateway for all vlans, a situation of asymmetric traffic will happen, meaning the outgoing traffic will go through the internet acces vlan but the incoming traffic will go through each corresponding vlan, since the fortigate has an interface on every one of them; and this would cause a lot of trouble

1 reply

lobstercreed
lobstercreed
New Member
January 8, 2021

I'm going to answer your last question first.  It is of course possible to configure policies separately for each VLAN by configuring address objects that cover only each individual subnet and using them in individual rules. 

 

However I don't think the rest of your plan will work or be helpful really.  The FortiGate is not made to be a robust DHCP server.  It's not really any better at it than a L3 switch/router, and without being the gateway for the VLAN, no, I don't think it will work.

 

What I always recommend is to make the FortiGate the "core" of your network and trunk the VLANs to it (using switches as L2 only) so you can control inter-VLAN traffic with FW policies as well as Internet/DMZ access.  However, this isn't practical for everyone especially depending on how the FGT is sized.  I'd say you have to decide which is more important to you.  DHCP on the FGT or L3 on the switch.

Gustav
GustavAuthor
New Member
January 8, 2021
I understand what you are saying, however I'm sadly limited by the client's desires and constraints. If I could implement a dedicated dhcp server, I would, but the project simply doesn't allow me that. Similarly, part of the project scope is to release the responsibility of intervlan traffic from the fortigate and give it to some new L3 switches that were bought. In regard to this, if I trunk all vlans to the fortigate but set the gws in each vlan to be the L3 switches, will there be policy-related problems due to the "asymmetric" nature of the internet traffic?
emnoc
emnoc
New Member
January 8, 2021

A fortigate also can not be used in  a DHCP-relay solution

 

Ken Felix

Terms & ConditionsAccessibility statement