Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
asgspl
New Contributor

100D - The truth about VLANs and Interfaces

Hi Guys,

 

First post so please be gentle. :)

Long story short.

Plan is to use 100D as main device where I'm going to bring up my VLAN interfaces and have a L2 HP switch as the LAN switch.

Is it just me or it's really rocket science to do that CISCO style, which means:

On 100D have the last 2 ports(aggregated) trunk mode connected to 2 ports on my HP(obviously aggregated as well)

And know the confusion, where the hell I need to configure the VLAN sub interfaces("pour les connaisseurs I'm referring to cisco inter vlan routing on a stick). In the same time on the 100D I need to have some other aggregated interfaces part of different vlans.

I've read almost all the Fortigate docs and still have no idea how to do it.

Below a text diagrams of what I want to achieve:

 

[size="2"]100D [interface[802.1aq]-vlan 102]; [2nd interface[802.1aq]-vlan 102]; [3rd interface[802.1aq]-vlan 103]; [last interface[802.1aq] - trunk(carries all the vlans)[/size]

The question is the same, where do I configure the VLAN sub interfaces? 

If anyone can point me even to right docs or give some idea would be very appreciated.

 

Cheers,

Tony 

13 REPLIES 13
emnoc
Esteemed Contributor III

Configure the sub-interface named off the aggregate bond interface name.

 

e.g (where bond0 is my named aggregate group  interface )

 

config system interface     edit "vlan888"         set vdom "root"         set interface "bond0"         set vlanid 888     next end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
asgspl
New Contributor

Since my last interface, which is also a 802.1aq, needs to be a trunk because on the switch it connects to I'll have ports which belong to different VLANs like the ones mentioned above(101,102,etc) and in the same time the ports on the 100D may belong to different VLANs as well, where exactly do I configure my interfaces ? I mean the IP addresses of my interfaces. For example the LAN which is 101 doesn't have anything connected on the 100D interfaces, all the VLAN 101 devices, actually are connected on the switch behind the 100D.

 

Still in the dark here ...

 

emnoc
Esteemed Contributor III

draw a topology map or provide the cli configuration of what you have now;

 

e.g

 

show system interface  <blahBlahblah>

 

Where blahBlahblah is the named interfaces, that should give us more insight on what your doing or have done.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
asgspl
New Contributor

Hope this is clear enough. :)

 

Cheers,

Tony

asgspl
New Contributor

Hi guys,

 

I'm still thinking what would be the easiest setup(layout) for me to achieve what I mentioned above. The easier fix which comes to my mind is to use a L3 Switch as the Core switch and configure all my interfaces and VLANs on my L3 switch and don't configure any IP's on my 100D. Wire a trunk between L3 Switch and 100D which carries all the VLANs and do all my inter-vlan trunking on my L3 small switch.

 

Is there anyone out there who sees a different and easier solution ?

 

Cheers,

Tony

emnoc
Esteemed Contributor III

 

 

You have many option;

 

Build a layer3 leg to from a L3 switch assign a /30 on that leg or whatever and used the L3 core switch to terminate inside  vlans. This is the simplist but if the L3 core-switch is used in this fashion you can control traffic from vlan 2 vlan

( this would inter-vlan routing on the  L3-switch )

 

or

 

Terminate a 802.1q trunk interface ( bonded or not ) to a L2 switch, install all vlans on that trunk as L3 sub-interfaces on the Fortigate and NOW you can control vlan-2-vlan traffic ( this would inter-vlan routing on the  fortigate ), You would need a layer 3 address interface for each vlan that you carry plus the firewall-policy rules to allow traffic from vlans to vlans2 or to the WAN.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
asgspl
New Contributor

Hi all,

(thanks emnoc for your time and answers)

 

Just an idea.

If I'm going with option 1(since I've found a HP 2620 L3 SW sitting in our Warehouse do I really need the /30 between 100D and L3 SW ? What if I'm wiring a bonded trunk(all VLANs) and connect all my Servers and other devices(except computers) to 100D interfaces and I'm untagging those interfaces(without to configure any IP addresses) into whatever VLAN I need. Would it work ? I also noticed that I can't mark a bounded(802.ad) interface as Ethernet Trunk not even in CLI. I can do it just on a single interface.

 

Thanks.

 

Cheers,

Tony

emnoc
Esteemed Contributor III

If I'm going with option 1(since I've found a HP 2620 L3 SW sitting in our Warehouse do I really need the /30 between 100D and L3 SW ?

 

It could be anything /31 if you want it needs a ipv4 address and mask greater than a /32 ; ) . I'm assuming these are rfc1918 address that your using? if that's correct than why care, make it fit into what you want or on simple classfull boundaries if you want to eliminate any subnett'ing concerns.

 

What if I'm wiring a bonded trunk(all VLANs) and connect all my Servers and other devices(except computers) to 100D interfaces and I'm untagging those interfaces(without to configure any IP addresses) into whatever VLAN I need. Would it work ?

 

i really don't understand that question, can you draft a proposed topograph? if your using a layer2/3 switch 7 with multi-vlans, you access ports to the  servers/computers could and most likely would be untagged for the most part and almost surely for the latter ( the computers end-users ). The FGT100D interface into the  Layer2/3 switch could be tagged if your carrying all vlans into  that firewall. Think of the switch as fan-out to provide the ipv4 networks to the end devices.

 

I also noticed that I can't mark a bounded(802.ad) interface as Ethernet Trunk not even in CLI. I can do it just on a single interface.

 

Same as above don't understand. To clarify the bond ( aka aggregate ethernet   AE ) interface is the holder of the sub-interfaces. You don't mark it as a "trunk" per-se,  it carry the  l3 sub-interfaces that references the  bond/AE interface name.

 

i put this blog post together and it would be helpful if you want to understand bundling of interfaces from a firewall perspective

http://socpuppet.blogspot...wall-capacity-via.html

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Robin_Svanberg
Contributor

asgspl wrote:

Hi Guys,

 

First post so please be gentle. :)

Long story short.

Plan is to use 100D as main device where I'm going to bring up my VLAN interfaces and have a L2 HP switch as the LAN switch.

Is it just me or it's really rocket science to do that CISCO style, which means:

On 100D have the last 2 ports(aggregated) trunk mode connected to 2 ports on my HP(obviously aggregated as well)

And know the confusion, where the hell I need to configure the VLAN sub interfaces("pour les connaisseurs I'm referring to cisco inter vlan routing on a stick). In the same time on the 100D I need to have some other aggregated interfaces part of different vlans.

I've read almost all the Fortigate docs and still have no idea how to do it.

Below a text diagrams of what I want to achieve:

 

[size="2"]100D [interface[802.1aq]-vlan 102]; [2nd interface[802.1aq]-vlan 102]; [3rd interface[802.1aq]-vlan 103]; [last interface[802.1aq] - trunk(carries all the vlans)[/size]

The question is the same, where do I configure the VLAN sub interfaces? 

If anyone can point me even to right docs or give some idea would be very appreciated.

 

Cheers,

Tony 

On one of customers 100D with HP 2530-24G switches we created a aggregated interface named trk1 with three interfaces on each side.

 

CLI

config system interface edit "trk1" set vdom "root" set vlanforward enable set type aggregate set member "port1" "port2" "port3" set snmp-index 27 set lacp-ha-slave disable next end

 

GUI

System-Interfaces - Create New

Select type 802.3ad Aggregate

 

When that interface is created you create subinterfaces/vlan like this

CLI

config system interface edit "vlan1" set vdom "root" set dhcp-relay-service enable set ip 10.117.85.1 255.255.255.0 set allowaccess ping set description "15XXXX/RS: Created" set dhcp-relay-ip "10.241.151.11" set interface "trk1" set vlanid 2285 next end

 

GUI

System-Interfaces - Create New

Select type VLAN and choose the aggregated interface.

 

Configuration of HP switches

trunk 21-24 trk1 lacp

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors