Solved! Go to Solution.
Thanks for the preview.
Some things where I stuck:
You talk about "MAC addresses" often. I wonder why you avoid mentioning the OSI layer model, Layer 2 and 3.
pg 4. NAT mode: "FortiGate ports have IP addresses." ...which certainly is not true - they don't need to have addresses. Rather, "Ports need to have unique IP addresses if any.".
pg 5. It really would be enlightening if you could clarify whether a TP-mode FGT is a switch or a hub. All doc examples only show 2 ports active which doesn't allow this distinction to be made. Later on on pg. 6 you start talking about it being a bridge, then drop that in favor of "switch". As bridges are nearly extinct today I'd feel more comfortable with "switch".
One property of a switch is that it will forward a packet only to the port which has previously seen the destination's MAC address. If the destination MAC is not yet known a switch has to broadcast an ARP request to all ports. So, eventually, a switch can also connect collision domains.
"Forwarding domain" pg7-9: IMHO forwarding broadcasts from one VLAN to all ports is correct behavior as a VLAN has the explicit advantage NOT to tie VLAN members to one physical segment. I assume that's why this is the default way VLAN broadcasts work in FortiOS. You elaborate that this might have disadvantages in large networks which is a corner case in my opinion - connectivity before efficiency. At least, the student should not get the impression that without defining forwarding domains VLANs are not correctly set up.
diag command: only 16 seconds are not sufficient to explain the data which you can obtain from the output, which is a pity. As we all know, diag command are essential, and essentially not undocumented.
Good overview. Thanks!
I would like more detail in how to configure and troubleshoot.
Thanks for the preview.
Some things where I stuck:
You talk about "MAC addresses" often. I wonder why you avoid mentioning the OSI layer model, Layer 2 and 3.
pg 4. NAT mode: "FortiGate ports have IP addresses." ...which certainly is not true - they don't need to have addresses. Rather, "Ports need to have unique IP addresses if any.".
pg 5. It really would be enlightening if you could clarify whether a TP-mode FGT is a switch or a hub. All doc examples only show 2 ports active which doesn't allow this distinction to be made. Later on on pg. 6 you start talking about it being a bridge, then drop that in favor of "switch". As bridges are nearly extinct today I'd feel more comfortable with "switch".
One property of a switch is that it will forward a packet only to the port which has previously seen the destination's MAC address. If the destination MAC is not yet known a switch has to broadcast an ARP request to all ports. So, eventually, a switch can also connect collision domains.
"Forwarding domain" pg7-9: IMHO forwarding broadcasts from one VLAN to all ports is correct behavior as a VLAN has the explicit advantage NOT to tie VLAN members to one physical segment. I assume that's why this is the default way VLAN broadcasts work in FortiOS. You elaborate that this might have disadvantages in large networks which is a corner case in my opinion - connectivity before efficiency. At least, the student should not get the impression that without defining forwarding domains VLANs are not correctly set up.
diag command: only 16 seconds are not sufficient to explain the data which you can obtain from the output, which is a pity. As we all know, diag command are essential, and essentially not undocumented.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.