Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jaymis
New Contributor

FortiGate200D

Hi,

 

I am new to Fortigate 200D.

 

I have port 13 connecting to Port 2 on ISP Adva switch.

 

However ports 13/14 are members of external interface.

 

Interface Name - external Type - Hardware Switch Physical Interface Members  Port 13, Port 14

 

 edit "external"         set vdom "root"         set ip x.x.x.138 255.255.255.248         set type hard-switch         set description "Internet Access"         set snmp-index 24

 

 

Is this an aggregate layer 3 port on FortGate and a routed port on Adva ?

 

If I was to connect Adva Port 2 directly to a switch should this be configured a as trunk port  or routed port?

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

No. They are hard-switch ports sharing all subinterfaces, like VLANs on them. If an aggregated ports, you would see just "set type physical" on each interface.

So same ethernet frames are duplicated between those ports when the FGT sends something out to the subinterfaces on it.

jaymis

Ports 13/14 are members of external hence thought they were aggregate ports. hard-switch = trunk port ?
Toshi_Esumi
Esteemed Contributor II

There is no particular definition of external or internal ports in FGTs. You're just calling them for ISP connections or LANs.

Also there is no particular definition of trunk ports in FGTs either. It's up to uses if you make it just big collection of non-tagged interfaces on one hard-switch, or - this is more common - put multiple VLAN subinterfaces in addition to non-tagged through those ports in a hard-switch. It's just act as ports like regular VLAN capable switches. So if a VLAN10 is configured and a vlan-tagged frame with vlan-id 10 comes in one port of the hard-switch, it would be switched to the other port, means if it knows on which port the destination MAC address exists, it would forward only on that port. If a broadcast packet on the VLAN it would be forwarded to all other ports other than incoming port. Everything is controlled by a chip/hardware. That's why it's called as hard-switch. That's it.

Just be aware, FGT doesn't have concept of SVI or native VLAN. You can't define an internal VLAN then connect it to non-tagged ports randomly. All VLANs have to be bound to one of parent interfaces, and can't be bound to muitiple of them. That's why hard- or soft-switch interfaces are needed to let the same VLAN spread to multiple ports.

Think about old Cisco, Juniper, and other routers, which are NOT L2/L3 switch-routers and those subinterfaces, like Gigabit-ethernet0/0.10. It works in a similar way.

jaymis

Thanks for response