Hello everyone!
I am looking into a FortiNAC implementation and the following question came around. Tried to check documentation but there are some differences on it so would appreciate a third opinion to make sure the right setup is being followed.
When deploying multiple isolation networks on FortiNAC (Registration, Authentication and Remediation for example) all of them have different IPs on config wizard, yet all belonging to the same interface port2.
On a L3 setup, which IP should be indicated as DHCP relay (helper) on each interface? The main IP for port2 or the equivalent to the VLAN that is being configured?
Found this and other examples saying the first is correct:
https://docs.fortinet.com/document/fortinac-f/7.2.0/high-availability-fortinacos/377092/layer-3
In the image is possible to see that all helpers, no matter the VLAN, point to 10.10.100.2 and 10.50.100.2 which are the registration port2 IPs for each FortiNAC server.
It also says the following:
DHCP Helpers – FortiNAC returns two DNS servers for isolation VLANs. Therefore, for each isolation VLAN, configure DHCP Helpers for both Primary and Secondary port2 IP addresses. If multiple isolation VLANs are configured, use the main port2 IP address.
Yet, I found a different deployment document that presents this image:
In this image, on the other hand, we see the helpers pointing to their relative port2 ip and there is the following text:
- DHCP relays must be configured on each isolation network pointing back to the isolation interface.
Which one should be followed?
Thanks in advance for any help!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Personally I always used one single isolation when doing L3 mode, not to make things more complicated than they already are.
But in your case, logically talking, the second one is the correct one, since each DHCP scopes is defined within its related sub-interface.
On the other hand it is also possible that both are correct, this is in case the same DHCP server instance is listening on all sub-interfaces, in that case the DHCP helper can be any of those IP addresses and the result will be the same.
Hello
Personally I always used one single isolation when doing L3 mode, not to make things more complicated than they already are.
But in your case, logically talking, the second one is the correct one, since each DHCP scopes is defined within its related sub-interface.
On the other hand it is also possible that both are correct, this is in case the same DHCP server instance is listening on all sub-interfaces, in that case the DHCP helper can be any of those IP addresses and the result will be the same.
Hello @jprocha,
the second deployment image you have shared uses a Individual VLAN per Host state.
This is just used for logical grouping of DHCP Scopes and subnets depending on their function (registration,remediation, dead end etc..)
The purpose is ease of administration in very large environments where administrators might want a specific subnets declared for specific Host state and have a easier job when modifying scopes when changes happen.
In this case the DHCP relay should be the subinterface IP since that will also be presented as DNS server for the respective VLAN/State.
In a small to medium environment you can use the Isolation Vlan which is a shared VLAN per Host state. You do not expect a large amount of subnets/scopes and you can have only one VLAN to manage all.
FortiNAC provides the respective Captive portal depending on host state.
For reference:
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.