New to FortiGate - Need help for LAN setup

Question

Hello everyone

I am all new to Fortinet and FortiGate, though i am a quite old Networks "user"

Right now i am in the process of swapping a Juniper SRX100 with a Fortigate 92D and a Juniper SRX240 with a Fortigate 140D-POE (+FAP321C)

In general i find all the configuration points i wish (and can dream of) and always amazed how easy and efficient everything is (especially coming from Cisco, Juniper and other Checkpoint products)

The only thing i am struggling with right now is the setup of the LANs and VLANs (i didn't think that going full VDOM was necessary)

I attached a quickly drawn high level concept of the network to give an idea of what i am trying to achieve

I am working with 3 VLANs

Green - 192.168.1.0/24 - DHCP server active

Amber - 192.168.10.0/24 - DHCP server active

Red - 192.168.100.0/24 - DHCP server active

Green is reserved for trusted devices (PCs, Macs, iDevices, ...)

Amber is reserved for internet facing servers and other devices reachable from Internet

Red is reserved for guest devices (PCs, Macs, iDevices, ...)

The devices in Green are all with single link

The servers in Amber have all dual link in 802.3ad aggregation (other devices have a single link)

The devices in Red are all with single link

What i have been trying to achieve at first was to create the 3 VLANs and assign then to various ports but it seems i can assign only to 1 interface (may it be a port or Virtual Switch or VLAN Switch) Also i noticed that the 802.3ad ports are to be set as an Aggregate Interface

So i seem to be turning round and round on how to set a number of ports to the Green VLAN, another set of Ports to the Amber VLAN (along with a couple aggregated interfaces), a 3rd set of ports to the Red VLAN and the WiFi port to all 3 VLANs

I am quite sure i am just missing a detail but i cannot seem to make it all work together

I was hoping that some of you with way more experience than me on FortiGate could help me find the solution

Thank you in advance!

Andy

Toshi_Esumi · Accepted Answer

Sorry for off topic from Pandalist's original question. But I want to ask ede_pfau or others if FortiSwitch can do like this that FortiGate can't do.

Nowadays major routers like Cisco, Juniper, etc. supports L2 switching separated from L3 routing, just like Pandalist drew in the diagram. I've kept asking the same/similar function on Fortigate to Fortinet SE/Sales but so far it's not happening.

Toshi_Esumi · Answer

Fortigates don't have clear separation between Layer3 interface and Layer2(or below) vlans. The vlan is a "subinterface" that can belong to one interface only. You can bind multiple physical interfaces into one hardswitch (virtual-switch) interface or one softswitch interface (switch-interface) via CLI (I'm not sure about GUI. And CLI might be slightly different between 92D and 140D, which I don't have either). Then you need to create a vlan subinterface on top of it. Although you can attach multiple vlans on one interface, it's the same through all physical interfaces inside the hard/softswitch interfaces.

In other words, you can't have one physical interface with only vlan-A and another with vlan-A and vlan-B as in your diagram. An option I could think of without having a Layer2 switch next to it is to separate WiFi SSID subnets from those three wired vlan subnets then set policies or zones to connect them together.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded