- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Forti VLANs with Cisco Switch
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forti VLANs with Cisco Switch
Hello, folks.
I'm fairly new to FortiGate and I'm in the process of configuring an 80F to replace a Cisco RV320 router. The RV320 has 4 sub-interfaces tagged with their respective VLANs:
- x.x.0.1 (default), x.x.10.1 (vlan10), x.x.20.1 (vlan 20), x.x.30.1 (vlan 30)
The Cisco core switch has virtual interfaces for each VLAN:
- x.x.0.2 (default), x.x.10.2 (vlan10), etc.
- Each VLAN interface points to a Windows server for a DHCP-helper address
- The DHCP scopes for each VLAN subnet points to the respective switch virtual interface (x.x.x.2) for its gateway
- The core switch has a single default route pointing to x.x.0.1 on the RV320
- The core switch is connected to the RV320 by single trunk port that carries all VLANs
As I'm setting up the 80F I thought it would be nice for each VLAN to have a dedicated physical port on the FortiGate to avoid having congestion on a single shared trunk port:
- I removed 3 ports from "internal" and configured them as standard ports (not VLAN) each with their x.x.x.1 address
- I plan to dedicate 1 core switch port for each VLAN and connect them to the respective 80F ports 1:1
- I plan to change the DHCP scopes for each subnet to point to the x.x.x.1 address of the 80F ports (the reason for using x.x.x.2 previously was to keep inter-VLAN traffic on the switch and off the trunk to the RV320)
I've done something similar for a Guest network on a different Forti device but in that instance the VLAN was carried through the network directly to the (untagged) FortiGate port which handed out DHCP itself. In that case it worked just fine.
Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?
Edit:
What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?
Thanks!
zp
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Zach,
zp wrote:Am I going about this the right way or is there a better/easier way? Can I setup a DHCP-helper address on the physical Forti interfaces? Is there benefit to configuring the Forti ports as VLAN interfaces?
Yes, yes, and no. This gives you the greatest flexibility in building firewall rules and controlling (or at least logging) inter-VLAN traffic. You absolutely can have the FortiGate do the ip-helper and you can do it from the GUI interface config by selecting Advanced when you turn on the DHCP server and changing the Mode from "server" to "relay".
zp wrote:Edit:
What about using a 4-port aggregate on the Forti to a 4-port Etherchannel on the Cisco and keeping the switch's default route to x.x.0.1?
I'm not sure what the switch's default route has to do with whether you use LACP or not, but I would imagine you could use the agg and do VLANs on that interface. Honestly, not something I've ever had reason to do but if bandwidth or VLAN expansion is a concern, maybe you want to give it a try and let us know. :)
- Daniel
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On a FGT a vlan is threated as a virtual interface too. So you can tie it to a port or switch or trunk.
You cannot configure a physical interface as vlan interface on a FGT.
Then you can create policies or static routes using the vlan interface as source or destination interface.
However only traffic that leaves the cisco will hit the FGT.
And yes a virtual vlan interface can have rather the same options as a physical one. So you could set up secondary IP(s) or dhcp server or dhcp relay on it if needed.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you've got it, Zach! That should work as far as I can tell from what we've discussed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you everyone, I appreciate it!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The change-over went great! One thing that I expected to possibly be an issue was having the one sub-interface tagged as "VLAN 1". I changed the VLAN ID for that (management) VLAN and adjusted some internal addressing. Worked out just fine and will end up being more secure anyway by preventing VLAN hopping.
Thanks again everyone!
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Options to pass a VLAN through... 20 Views
- Implementing FGSP with OSPF ECMP based... 39 Views
- Configuration of FortiLink with cisco switch 89 Views
- DHCP on a Fortiswitch 124F from... 210 Views
- Duplicate a working Cisco Router config... 985 Views
Labels
-
FortiGate
6,665 -
FortiClient
1,328 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
77 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
66 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
High Availability
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
LDAP
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SSO
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.