Hello,
I keep bouncing between using VDOMs or Policies to accomplish my end goals.
My concerns are;
LAN traffic interfering with VoIP services
WAN failover functionality
VPN (IPSec/SSL) load on interface
Traffic routing and shaping
One suggestion is to setup 3 VDOMs with a VDOM link between the LAN and VPN networks. This allows me to setup failover on the LAN network WAN1 to WAN2. Also, I can then setup VoIP to use WAN2 and failover to WAN1 if needed. I'm told there shouldn't be any noticeable latency with data across the VDOM link. I end up using a lot of physical ports but the 100D has plenty.
The second option looks more simple but it also puts a lot of faith in policies to route and separate traffic. I would setup two groups of interfaces into separate hardware switched (OS 5.4 feature). Using WAN1&2 interfaces to make the failover configuration but also add a WLLB policy to direct VoIP traffic to WAN2 (if WAN2 fails the WLLB will failover to WAN1). Then I can either add a second IP to WAN1 (or use 1 IP for everything) for VPN connections. Then route, shape and configure traffic based on policies and features of the Fortigate OS.
Both options seem sound but does anyone have a reason to use one method or the other? I'm attaching a couple of visual layouts (in two posts) to help demonstrate the two options.
Thanks for your input.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1st the diagrams help alot.
drwg#1 you do know a interface regardless if real or virtual , can only be in one vdom?
drwg#2 looks more clear where as drwg#1 is flaw due to the above and it's not 100% clear as to what objective your trying to meet.
I believe the isolation of the traffic via vlan boundaries and QoS will give you what you need.
PCNSE
NSE
StrongSwan
Thank you for your reply.
In option 1, I understand that interfaces can only be assigned to 1 VDOM. The issue that is making me consider this option is that you can't assign IP addresses on the same subnet to an additional interface. For example, WAN1 has an IP from a block of external addresses that my ISP provides. Now I can not assign another external IP to a different interface because it's on the same subnet as WAN1's IP.
That said, VDOM1 would have ports 2-5, VDOM2 would have 6-9 and VDOM3 would have 10-13. Leaving 4 additional ports plus the WAN1 and WAN2 ports.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.