Skip to main content
MartyDon
MartyDon
New Member
September 25, 2018
Question

VLAN Implementation

  • September 25, 2018
  • 1 reply
  • 7521 views

Good day

 

I need to implement a VLAN network as my client will be looking to have his network made a little more redundant with a failover from HO to Branch with a Fibre Optic cable between. He wants this to be a failover for internet too so that if Head Office primary ISP goes down, then all traffic will use this connection. 

The switch that he will use will also be used at a later stage for multiple other offices to connect to.

They are using a Fortigate 200D (HA) which will connect to a new Cisco 2960 -> Direct Connection from there to the Fortigate at the branch Office(Its across the road). Is it difficult to setup VLAN's on a Fortigate? 

I have done VLAN's over 6 years ago on Cisco devices but never Fortigate.

Another point to mention is that there will a microwave link between the office that will be used as a 3rd failover. This will be connected to the switch.

 

Will I need to create two separate VLAN's (One for first failover, and then other for second)

Can a SD-WAN be used if you are using VLAN interfaces?

 

Should I create a site-to-site IPSec VPN (Using On Demand) for the third Microwave Link Failover.

I have drawn up a small diagram on this to try and get a better view on this.

 

Looking forward to some ideas and suggestions on this.

Regards,

Marty

1 reply

tanr
tanr
New Member
September 25, 2018

Hi Marty, welcome to the forums.

 

I'll guess you're using FortiOS 5.6?

 

Vlans on FortiGates are created as sub-interfaces on a physical interface, aggregate, or FortiGate (hardware/software) switch interface.  They're relatively simple.  One important thing to note is that in most cases the FortiGate's vlan interfaces are tagged only, not untagged/native, so your connected switch or other device will need to support that.

 

I think you'll want to control your own failover more fully and so wouldn't want SD-WAN, but that depends on your needs.  I describe failover cases below.

 

You'll need to create link-monitor objects to determine if a link is down and have available routes in your (static?) routes that provide the route out the backup links.  See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Interfaces/Dual%20Internet%20connections.htm for an example.  

 

I would recommend having your routes and backup routes with the same distance but different priorities, so that all those routes stay in the routing table and are available (until the link-monitor removes one that references an interface that is down).  The route with the "highest" priority (lowest number) will be used.

 

See https://cookbook.fortinet.com/redundant-internet-basic-failover-56/ for an example with the same distance but different priorities.

 

Regarding an IPsec VPN over the microwave link, unless it's already encrypted/secured I assume you would need something like that to keep things secure.  The admin guide and cookbook articles list out most of the VPN details you'll need, though you may need to dig through the forums for details on doing it with certificates.

 

Hope this helps!

tanr
tanr
New Member
September 25, 2018

Another reason to have multiple routes with the same distance but different priorities is that you can then create policy routes that override the highest priority route to route more specific traffic over any of those routes (with same distance but different priorities) based on things like source, protocol, etc.

Terms & ConditionsAccessibility statement