Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

One Vlan on multiple ethernet interfaces

Hi,

it is possible on Fortigate 100F to have one vlan configured on multiple ports?

Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?

 

thanks

1 Solution
Benoit_Rech_FTNT

Hello Wojtek,

you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'

See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

Best regards, Benoit

View solution in original post

26 REPLIES 26
lobstercreed
Valued Contributor

No, a VLAN interface is a sub-interface on a FortiGate (a tagged VLAN on a trunk port in switching parlance). 

 

You *could* set up a switch on the FortiGate so that more than one physical port shared the same "interface" but you wouldn't be able to tag VLANs on those ports.  You'd have to connect it to a switch on an untagged VLAN to maybe kind of achieve what you're looking for, at which point why not just use a switch to begin with.  Tag the VLAN going to the FortiGate and set untagged VLANs on the other ports you need instead of using the FortiGate for them.

Tutek_OLD

So how can I create setup like this:

I have lan port1 and DMZ port, and one MGMT vlan subnet (tagged), how to have the same MGMT subnet vlan on lan and DMZ?

On other routers I can bridge MGMT vlan with DMZ port and this is working, how about Fortigate?

Benoit_Rech_FTNT

Hello Wojtek,

you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'

See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014

Best regards, Benoit

Toshi_Esumi

I wouldn't do that. MGMT port is to separate management access network from all other "user" networks on the LAG. It's better kept alone with the management subnet and connected directly to the switch (access port) then you can control L2 switching/L3 routing at the L3 switch.

Toshi_Esumi

Maybe I mixed up with another thread. But separation of MGMT port should still stand.

lobstercreed

100% agree with Toshi.  I refrained from saying anything but the design Wojtek described makes no sense to me.  Management is its own thing and should be on its own interface.  Can't imagine what the benefit would even be to having it on multiple interfaces.

sw2090

allow-subnet-overlap is an evil option. The devil made it. Please do not use it ;)

 

As said a vlan on a FGT is a virtuel interface that is tied to a physical one. So the only option to share one vlan on more than one port would be either to put those ports into a switch - then they are threated as one interface and you can tie a vlan to it.

The only outher option might be Port Trunking - but then youo do no longer have sperate ports.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Tutek_OLD

Yes it's great when you have on server multiple ethernet interfaces, but most of my servers have only two ethernet ports, one iRMC and one last is for data flow and MGMT vlan, I cannot do other way like only put MGMT on VLAN, and I would like to have one MGMT subnet spread on all my Fortigate Lan ports, so this is my problem.

 

I cannot put lat port with my DMZ port on switch they need to be separated (security reasons).

lobstercreed

So if your servers are needing trunk ports (which is what I'm hearing) then you need to use a managed switch to connect between your servers and the FortiGate (maybe FortiSwitch would work; I have no personal experience).  There would be no security risk as your DMZ would be on its own VLAN and could not communicate with anything else.  This should be very easy to accomplish with any number of managed switch vendors.