Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
0skarprez
New Contributor

InterVLAN routing on L3 switch or Fortigate?

Hello everybody, I would like to know your opinions or what would be the best, for the following topic. 

I have to create a network for 40 users, just accessing basic services such file server, printers, internet and wifi. I have a Fortigate 60F and I am going to install L3 switch cisco 9300, and 2 access switches 2960. I want to create 5 data Vlans and one voice vlan. I also will have VPN connections trough SSL, and wifi Network in a different VLAN. My question is: where would you handle the interVLAN routing, in the L3 switch, or in the fortigate? thanks al for your advices

regards

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

It's a question if you want/need to regulate (apply policies) inter-vlan traffic. If yes, it needs to come to the FGT before routed to another vlan. If not, let the switch inter-connect vlans and the FGT controls traffic only to/from the outside.

lobstercreed

No question in my mind.  If your firewall can handle the throughput (probably can, depending on the type of work being done), do the VLANs on the firewall.  You get layer 2 visibility into your whole network, which is nice for auditing and troubleshooting, but also allows you to write stricter policies (i.e. down to the device MAC address, not just the IP). 

 

Also keep in mind it doesn't have to be all one or the other.  You may want to put your guest wifi VLAN on the firewall while leaving the rest of your network free to communicate.  You can also change this on a per-VLAN basis later fairly easily with very brief disruption to the network.

 

- Daniel

Labels
Top Kudoed Authors