Understanding Port-Channel Rules and VLAN subinterfaces

Forum|Forum|8 years ago
May 29, 2018
1 reply
3442 views

Hi there.

We are replacing our ASA's in our office with Fortigate 100D's and what my seniors want me to do is create two portchannels on the Fortigate that connect into our core switch (Cisco 3750X).

We have about 10 different VLAN's in our office, so what I want to do is have 5 VLAN subinterfaces set up per port channel.

So Interface 1 and 2 will be port channel 1 and interface 3 and 4 is port channel two - and each has 5 VLAN gateways set up on them. The firewall will be NATíng and routing out to the internet. First off, is what I'm doing something that will work?

Another main question I have, is that If I create a policy, and I want to say deny traffic from somewhere, I obviously specify a source and destination interface ; so if i want to deny incoming from the internet, and specify WAN1 as my source and Port-channel1 as my destination, does it then deny to whatever VLAN's are configured under PortChannel1? Kind Regards, Adam

Toshi_Esumi

SuperUser

Yes, it should work fine. And no, those VLANs are individual interfaces you can apply policy with. You wouldn't need any policies on the agg interface/port-channel unless it carries untagged traffic. If you want to bind all or some of VLANs together in policies, you can use zones.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded