Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcarlilesiu
New Contributor

Created on ‎08-15-2025 12:37 PM

Expanding Network Topology/Configuration Help

All,

 

We are a self managed small but growing design practice utilizing a FortiGate 60E in our file server.  Our office is expanding to the floor above our current space.  We currently have the following hardware in our rack:

 

- Apple Mac Pro (Mostly a mac environment)

- FortiGate 60E

- Cisco SG200-50P Switch

- Comcast Router

- 4G Cellular Failover Router

- Sonnett Tech Echo (NAS)

- Security Camera Headunit

 

Everything else is just monitor, keyboard, battery backup etc.  We are expanding to the second floor and will be moving both the Mac Pro and the NAS upstairs.  We purchased another Cisco SG200-50P for upstairs switching. 

 

Currently, the Comcast Router (WAN1) and 4G Router (WAN2) are connected to the FortiGate which then routes to the Cisco Switch.  We are currently utilizing about 32 ports which is a mixture of data only endpoints and some VOIP endpoints.  We additionally have a UniFi software controller and a couple of WAPs serving internal staff and a client/guest network. 

 

The format of endpoints will be likely the same upstairs. 

 

From a network perspective, we have our LAN1 (internal), VLAN43 (VOIP), and VLAN100 (guest/wifi).  We have the two WANs above, and use SSL VPN for our field staff.  We have the following firewall policies in place (though I think some of them are unused):

 

Screenshot 2025-08-15 at 2.31.59 PM.png 

Im simply trying to figure out the best way to expand the network upstairs in both the best practices method as well as what's easiest.  The new rack is going directly above the current one. 

 

I think simply using another internal port on the FortiGate to the switch upstairs would be acceptable, putting both switches on their own VLAN (VLAN 1 & 43 downstairs and VLAN 2 & 44 upstairs)?  With all endpoints connected through a patchpanel to their respective switch on each floor?

 

In total, we will have about 20 users and likely about 60 total across the network?

 

Is there any inherent downside to this plan?  Better way to do it?  I appreciate any help you can provide. 

 

Im simply trying to figure out the 

 

Labels:
208
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-15-2025 08:29 PM

not sure how you could find a "new" SG200-50P, which was discontinued about 7 years ago. But that would be the weakest link in your line up of the network gears. The 60E's EOS(End of support, most call it as EOL) is coming up next year too.

Unless you need to have a completely new set/functions upstairs and exhausting IPs in the subnets, extending the existing VLANs to there would be the easiest option as you know already since basically you don't have to change anything on the FGT. 
If the new port on the FGT you're thinking now to connect to the upstairs switch is a part of the hardware switch (default is "internal") with the existing port connected to the current switch, literately no change on the FGT is needed. All VLANs would be spanned to the new switch as soon as you hook it up.
However, if the new port is not a part of the hardware switch (you must have removed it before from "internal" if that's the case), either you have to cascade the new switch from the current switch or put the new port back in the same hardware switch (again likely "internal").

But if you can afford, I would suggest you get a better/more recent switch (cisco migrated SG200->SG250->CBS250->and now Catalyst1200) to have a fresh start.

Toshi 

177
0 Kudos
jcarlilesiu
New Contributor
In response to Toshi_Esumi

Created on ‎08-21-2025 11:50 AM

Hi Toshi, thanks for the response.  You are correct, this isn't a new switch but a match to the one we already had.  While we are aware that the 60E and the switches are EOL, the cost of building out the second floor mandates postponing updating equipment at this moment.  Hopefully soon. 

 

Thanks for your advice on simply extending current functions upstairs.  Yes, that's what we want to do.  I simply need a switch up there for the patchpanel to support new endpoints.  No, we are no where near exhausting IPs on the subnet. 

 

The confusion is, I did exactly what you said and plugged the new switch into the available port on the FTG.  I was able to see the device come online by monitoring devices on the FTG.  The problem is, I think it shared the IP address of the original switch, disallowing me from accessing it's web interface.  Like there was a duplicate IP.  Now, I have since unplugged the new switch from the FTG, yet the original switch still isn't appearing on my device list like there is no IP assigned to it. 

 

I am also no longer able to access the original switch through the interface.  Directing to the last known IP is giving me a no-page found issue. 

 

The switch is still pass traffic. 

 

If I want to do as you said, was there some step I missed before hooking up the new switch potentially creating an IP duplication issue?

101
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-21-2025 12:30 PM

Would it work if you connect the new switch behind a current switch's trunk port? In other words, cascading it?

Toshi 

93
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.