Hi Guys,
First post so please be gentle. :)
Long story short.
Plan is to use 100D as main device where I'm going to bring up my VLAN interfaces and have a L2 HP switch as the LAN switch.
Is it just me or it's really rocket science to do that CISCO style, which means:
On 100D have the last 2 ports(aggregated) trunk mode connected to 2 ports on my HP(obviously aggregated as well)
And know the confusion, where the hell I need to configure the VLAN sub interfaces("pour les connaisseurs I'm referring to cisco inter vlan routing on a stick). In the same time on the 100D I need to have some other aggregated interfaces part of different vlans.
I've read almost all the Fortigate docs and still have no idea how to do it.
Below a text diagrams of what I want to achieve:
[size="2"]100D [interface[802.1aq]-vlan 102]; [2nd interface[802.1aq]-vlan 102]; [3rd interface[802.1aq]-vlan 103]; [last interface[802.1aq] - trunk(carries all the vlans)[/size]
The question is the same, where do I configure the VLAN sub interfaces?
If anyone can point me even to right docs or give some idea would be very appreciated.
Cheers,
Tony
Configure the sub-interface named off the aggregate bond interface name.
e.g (where bond0 is my named aggregate group interface )
config system interface edit "vlan888" set vdom "root" set interface "bond0" set vlanid 888 next end
PCNSE
NSE
StrongSwan
Since my last interface, which is also a 802.1aq, needs to be a trunk because on the switch it connects to I'll have ports which belong to different VLANs like the ones mentioned above(101,102,etc) and in the same time the ports on the 100D may belong to different VLANs as well, where exactly do I configure my interfaces ? I mean the IP addresses of my interfaces. For example the LAN which is 101 doesn't have anything connected on the 100D interfaces, all the VLAN 101 devices, actually are connected on the switch behind the 100D.
Still in the dark here ...
draw a topology map or provide the cli configuration of what you have now;
e.g
show system interface <blahBlahblah>
Where blahBlahblah is the named interfaces, that should give us more insight on what your doing or have done.
PCNSE
NSE
StrongSwan
Hi guys,
I'm still thinking what would be the easiest setup(layout) for me to achieve what I mentioned above. The easier fix which comes to my mind is to use a L3 Switch as the Core switch and configure all my interfaces and VLANs on my L3 switch and don't configure any IP's on my 100D. Wire a trunk between L3 Switch and 100D which carries all the VLANs and do all my inter-vlan trunking on my L3 small switch.
Is there anyone out there who sees a different and easier solution ?
Cheers,
Tony
You have many option;
Build a layer3 leg to from a L3 switch assign a /30 on that leg or whatever and used the L3 core switch to terminate inside vlans. This is the simplist but if the L3 core-switch is used in this fashion you can control traffic from vlan 2 vlan
( this would inter-vlan routing on the L3-switch )
or
Terminate a 802.1q trunk interface ( bonded or not ) to a L2 switch, install all vlans on that trunk as L3 sub-interfaces on the Fortigate and NOW you can control vlan-2-vlan traffic ( this would inter-vlan routing on the fortigate ), You would need a layer 3 address interface for each vlan that you carry plus the firewall-policy rules to allow traffic from vlans to vlans2 or to the WAN.
PCNSE
NSE
StrongSwan
Hi all,
(thanks emnoc for your time and answers)
Just an idea.
If I'm going with option 1(since I've found a HP 2620 L3 SW sitting in our Warehouse do I really need the /30 between 100D and L3 SW ? What if I'm wiring a bonded trunk(all VLANs) and connect all my Servers and other devices(except computers) to 100D interfaces and I'm untagging those interfaces(without to configure any IP addresses) into whatever VLAN I need. Would it work ? I also noticed that I can't mark a bounded(802.ad) interface as Ethernet Trunk not even in CLI. I can do it just on a single interface.
Thanks.
Cheers,
Tony
If I'm going with option 1(since I've found a HP 2620 L3 SW sitting in our Warehouse do I really need the /30 between 100D and L3 SW ?
It could be anything /31 if you want it needs a ipv4 address and mask greater than a /32 ; ) . I'm assuming these are rfc1918 address that your using? if that's correct than why care, make it fit into what you want or on simple classfull boundaries if you want to eliminate any subnett'ing concerns.
What if I'm wiring a bonded trunk(all VLANs) and connect all my Servers and other devices(except computers) to 100D interfaces and I'm untagging those interfaces(without to configure any IP addresses) into whatever VLAN I need. Would it work ?
i really don't understand that question, can you draft a proposed topograph? if your using a layer2/3 switch 7 with multi-vlans, you access ports to the servers/computers could and most likely would be untagged for the most part and almost surely for the latter ( the computers end-users ). The FGT100D interface into the Layer2/3 switch could be tagged if your carrying all vlans into that firewall. Think of the switch as fan-out to provide the ipv4 networks to the end devices.
I also noticed that I can't mark a bounded(802.ad) interface as Ethernet Trunk not even in CLI. I can do it just on a single interface.
Same as above don't understand. To clarify the bond ( aka aggregate ethernet AE ) interface is the holder of the sub-interfaces. You don't mark it as a "trunk" per-se, it carry the l3 sub-interfaces that references the bond/AE interface name.
i put this blog post together and it would be helpful if you want to understand bundling of interfaces from a firewall perspective
http://socpuppet.blogspot...wall-capacity-via.html
PCNSE
NSE
StrongSwan
asgspl wrote:Hi Guys,
First post so please be gentle. :)
Long story short.
Plan is to use 100D as main device where I'm going to bring up my VLAN interfaces and have a L2 HP switch as the LAN switch.
Is it just me or it's really rocket science to do that CISCO style, which means:
On 100D have the last 2 ports(aggregated) trunk mode connected to 2 ports on my HP(obviously aggregated as well)
And know the confusion, where the hell I need to configure the VLAN sub interfaces("pour les connaisseurs I'm referring to cisco inter vlan routing on a stick). In the same time on the 100D I need to have some other aggregated interfaces part of different vlans.
I've read almost all the Fortigate docs and still have no idea how to do it.
Below a text diagrams of what I want to achieve:
[size="2"]100D [interface[802.1aq]-vlan 102]; [2nd interface[802.1aq]-vlan 102]; [3rd interface[802.1aq]-vlan 103]; [last interface[802.1aq] - trunk(carries all the vlans)[/size]
The question is the same, where do I configure the VLAN sub interfaces?
If anyone can point me even to right docs or give some idea would be very appreciated.
Cheers,
Tony
On one of customers 100D with HP 2530-24G switches we created a aggregated interface named trk1 with three interfaces on each side.
CLI
config system interface edit "trk1" set vdom "root" set vlanforward enable set type aggregate set member "port1" "port2" "port3" set snmp-index 27 set lacp-ha-slave disable next end
GUI
System-Interfaces - Create New
Select type 802.3ad Aggregate
When that interface is created you create subinterfaces/vlan like this
CLI
config system interface edit "vlan1" set vdom "root" set dhcp-relay-service enable set ip 10.117.85.1 255.255.255.0 set allowaccess ping set description "15XXXX/RS: Created" set dhcp-relay-ip "10.241.151.11" set interface "trk1" set vlanid 2285 next end
GUI
System-Interfaces - Create New
Select type VLAN and choose the aggregated interface.
Configuration of HP switches
trunk 21-24 trk1 lacp
Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden
robin.svanberg@ethersec.se
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.