Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Keeper_of_the_Keys
New Contributor III

Connecting a physical port and a vlan interface

Hi everyone,

 

This may be a very simple question that is well documented and I may just be using the wrong search terms but either way I have not succeeded in finding how to do this.

 

I would like our Out Of Band Management switch to be connected directly to our firewall while I also still need to let the vlan "flow" through the downlink to the backbone to be available to virtual management server etc.

 

The thing is I can only add an interface with an address to one of the links and it seems that traffic also doesn't pass between them.

I drew a simple schema of what is happening:

 

I can't create x.x.x.1 twice that I understand but how do I make the vlan on both ports behave as if they are truly 1 vlan where the forti answers/forwards on both and traffic passes from one to the other like any other L2 segment?

 

Thanks!

 

7 REPLIES 7
Keeper_of_the_Keys
New Contributor III

Am I aksing this in the wrong subsection every time? (I noticed I already asked it once in a different part of the forum)

lobstercreed

Maybe one of the more experienced folks can answer, but I'm pretty sure what you're asking is not possible.  There would be no point in using the "out-of-band" management if you also need it to be in-band.  Only certain models have an OOB mgmt port anyway. I'd open a support case if you want a better answer / reason why.  They don't monitor this forum.  You might try Reddit also as it seems to be better monitored (both by FTNT and by experienced folks).

Keeper_of_the_Keys

Hey lobstercreed, thanks for your answer!

 

From your answer I see I amy not have stated my case properly, as far as the forti is concerned it is being managed "in-band" and the question is not about managing the forti but rather about the management vlan which exists on the stand-alone switch but I also want available on the backbone this is so that on the one hand all OOBM/IPMI/{UPS,PDU,env}-management is available on a switch that is directly connected to the forti and thus does not depend on the proper functioning of any other equipment but on the other hand I do have VMs that I want to connect into this network to monitor the status of all of these devices.

 

I guess I will be opening a support case.

lobstercreed

Is there ANY vendor that lets you do this?  It sounds completely wrong/impossible from an architecture standpoint to me.  I have always had to use two different networks (VLANs/subnets) for the two distinct purposes you describe.  If it has to be one network then you have to give up one or the other (I would give up the OOB, personally).

Keeper_of_the_Keys

Why does it sound wrong?

 

It's a linux machine in the end of the day if I put the same vlan on 2 interfaces and set the right bits it will act as a switch/bridge/whatever and the machine (not the interface) can own the IP pick up packets meant for itself and forward all other traffic from one port to the other.

 

I'm honestly confused why this should be hard or complicated at all.

 

lobstercreed

But that's the thing, OOB and IB can't be bridged.  That completely defeats the purpose of what makes it OOB.  You can absolutely set up a software switch between two regular ports (again, not mgmt) on the FGT and have them act as one "VLAN" but it sounds like you're talking about using a VLAN subinterface on one port and bridging that with a physical port which as far as I know has never been possible on a FortiGate either (and that at least would make sense).  Not aware of any firewall vendor that can do that though....it's more of something you can do on a L3 switch, but the FGT is designed as a router, not a switch.

Keeper_of_the_Keys

Thanks for pointing out the software switch function, that is indeed the type of functionality I'm looking for but as you rightly point out I want to use it with vlan subinterfaces which it seems FortiOS does not do.

 

As for the design of the OOB management network that I think is a debate in design philosophies and OT for here (but the shortest answer possible is I want monitoring/management servers that I trust to have unencumbered access, I can also see an argument for them living on a different vlan to allow all sessions to be logged and anomalies to be detected though).

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors