Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fl0at0xff
New Contributor II

Created on ‎10-09-2016 11:15 PM

Basic question about VLAN design

Hello,

 

I just have a basic question: When you configure a Fortigate, what is the best practice regarding the configuration of VLAN ? For example, imagine I have 5 different VLAN in my network, I want to make the inter-vlan routing with the fortigate, how can I configure the interfaces ?

- It is better to create 5 vlan-interface under only one physical interface

- It is better to create 5 vlan-interface under 5 physical interfaces (one per vlan)

- It is better to use 5 physical interfaces as access interfaces ?

 

Thank you for you answers

Labels:
7155
0 Kudos
7 REPLIES 7
Somashekara_Hanumant
Staff
Staff

Created on ‎10-10-2016 01:14 AM

Hello,

 

- It is better to create 5 vlan-interface under only one physical interface

>>> Yes you can configure 5 VLAN interfaces on only one physical interface

 

- It is better to create 5 vlan-interface under 5 physical interfaces (one per vlan)

>>> You can configure each VLAN on different physical interfaces, advantage of multiple VLAN's on multiple interfaces is bandwidth

- It is better to use 5 physical interfaces as access interfaces ?

>>> This option also similar to the above option, you will be dividing the bandwidth on 5 interfaces,

 

Please refer the below documents also.

 

http://help.fortinet.com/...%20in%20NAT%20mode.htm

 

https://www.youtube.com/watch?v=NVLDRHLWbWc

 

Cheers

Somu

EMEA Technical Support
3920
0 Kudos
fl0at0xff
New Contributor II
In response to Somashekara_Hanumant

Created on ‎10-10-2016 01:22 AM

Hello and thank you for your answer.

 

Ok for the bandwidth argument. I understand the added-value tu use separate interface.

Now, when is it preferable to create one VLAN sub-interface per physical interface and when use directly the physical interface. Does it depend only of the configuration of the switch on the other side ? 

3920
0 Kudos
Nils
Contributor II
In response to fl0at0xff

Created on ‎10-10-2016 06:06 AM

I would prefer to use Link Aggregation.

Aggregate several physical interfaces and then create vlan interfaces under the logical bundle.

But this is only supported on series above 100D(?).

 

Otherwise I would say that if you think you'll create new networks in the future, its better to go with VLAN intefaces. Then it's easy to just add a vlan to that interface and configure an IP-address without having physical access to the firewall.

 

3920
0 Kudos
fl0at0xff
New Contributor II
In response to Nils

Created on ‎10-10-2016 06:38 AM

Hello Nilsan and thank you for this answer ! Your solution looks great and interessting in terms of available bandwitdh. But how do you handle /configure LACP ? I think, I will prefer the solution with vlan interface for reason of scalabilty. For example, if a I have a 60D with 7 ethernet ports and I need to create 7 vlan, I will use a vlan interface per physical port and with this solution, if in the future I need to add a new vlan, I can simply add a new vlan interface ... I think it could be a good reflexion 

3920
0 Kudos
rwpatterson
Valued Contributor III
In response to fl0at0xff

Created on ‎10-10-2016 07:00 AM

fl0at0xff wrote:

Hello Nilsan and thank you for this answer ! Your solution looks great and interessting in terms of available bandwitdh. But how do you handle /configure LACP ? I think, I will prefer the solution with vlan interface for reason of scalabilty. For example, if a I have a 60D with 7 ethernet ports and I need to create 7 vlan, I will use a vlan interface per physical port and with this solution, if in the future I need to add a new vlan, I can simply add a new vlan interface ... I think it could be a good reflexion 

I think you are confusing link aggregation with VLANs. The series below 100d(?) cannot share data between ports (LACP), but yes you can put multiple VLANs on a singe interface (802.1q tagging).

 

Hope that helps

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3920
0 Kudos
fl0at0xff
New Contributor II
In response to rwpatterson

Created on ‎10-11-2016 05:21 AM

Hello and thank you for your answers ! I have a better idea how to configure/handle VLANs on Fortigate regarding the needs and possibilities of my clients.

 

Thank

3920
0 Kudos
MikePruett
Valued Contributor
In response to fl0at0xff

Created on ‎10-11-2016 09:54 AM

Yeah, if you are going to have a bunch of traffic flowing (more than the port you are building the VLAN's onto will support) then bundle those things up and enjoy the aggregated bandwidth benefit.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
3920
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.