Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itka
New Contributor

Created on ‎10-04-2025 11:45 AM

FortiGate 100F Aggregation - Dell S4112F (VLT)

Hello everyone,

I’m planning to replace my current Vigor 3220 router with a FortiGate 100F as the main firewall and router for my network.

 

Current Network Topology

  • Core Switches: 2 × Dell S4112F (OS10), N160-N161 configured as a VLT pair.
  • Access: Dell N1148T Switches N162-N165 connected via trunk ports to Core Switch.
  • Old Router: Vigor 3220 (172.16.16.221) Connected via 1Gbit Link to Dell N1148T -N162 Switch port52. S
  • VLANs: 1 (Mgmt), 110 (Servers), 120 (Users), 140 (WiFi), 510 (Staging Server), 520 (Staging Users).
  • FortiGate 100F (test LAN 172.16.16.222 :( connected to Dell N1148T-N162 on port 51 (trunk)

Currently, all inter-VLAN communication happens at the Core Switch level (the Dell S4112F pair). Each VLAN has its own SVI and VRRP configuration on the cores.

 

infra.png

 

Fortigate Test Network

At the moment, I created two testing VLANs (510, 520) and added static routes on the core switches so that those VLANs go through the FortiGate:

 

  • ip route 0.0.0.0/0 172.16.16.221
  • ip route 10.51.10.0/24 172.16.16.222
  • ip route 10.51.20.0/24 172.16.16.222


All  test VLAN sub-interfaces (VLAN 510, 520, etc.) work fine.

 

Correct Topology

Now, I’m considering moving the FortiGate connection directly to the core layer using 10 Gbps uplinks (FortiGate x1, x2) to the two Dell S4112F core switches (N160,N161), which operate as a VLT pair.

 

Planned connections:

x1 → Dell S4112F #1 (N160) port 1/1/12

x2 → Dell S4112F #2 (N161) port 1/1/12

 

My Questions

  1. Can VLAN sub-interfaces work properly under a FortiGate aggregate interface (LACP x1+x2)?
  2. Should I assign an IP to the aggregate interface, or only to the VLAN sub-interfaces?
  3. What is the recommended configuration on the Dell OS10 switches for this setup (LACP + VLT)?
  4. If I move my current VLANs from interface “LAN” to the new aggregate, will they continue to work with the same IPs and DHCP relays?
  5. The Dell switch ports are currently configured in a port-channel (VLT). Should I delete and recreate the port-channel, or can I reuse it as it is?

 

Any advice or best practice for connecting a FortiGate 100F via LACP to a Dell VLT pair would be appreciated.

 

Note:
I also have the full configuration files for my current setup — FortiGate, Dell S4112F core switches,  available if needed for review.

 

Thank you in advance for your help!

 

 

Dell S4112F Configuration

!

interface vlan510

 vlan-name Staging_Servers_Vlan

 description ***_Staging_Server_***

 no shutdown

 ip address 10.51.10.3/24

 no ip dhcp snooping

 ip helper-address 10.51.10.11

 !

 vrrp-group 7

  priority 150

  virtual-address 10.51.10.1

!

 

!

interface port-channel1

 description ***_THQ-N07-162_local_member_Eth1/1/1_***

 no shutdown

 switchport mode trunk

 switchport access vlan 1

 switchport trunk allowed vlan 110,116,120,140,150,160,180,510,520

 vlt-port-channel 1

!

!

interface ethernet1/1/1

 description ***_HQ-N07-162__Po1_member_***

 no shutdown

 channel-group 1

 no switchport

 flowcontrol receive off

!

!

ip route 0.0.0.0/0 172.16.16.221

ip route 10.51.10.0/24 172.16.16.222

ip route 10.51.20.0/24 172.16.16.222

!

 

Fortigate 100F Configuration

edit "lan"

        set vdom "root"

        set ip 172.16.16.222 255.255.252.0

        set allowaccess ping https ssh fabric

        set type hard-switch

        set alias "Fortigate-100F"

        set role lan

    next

        edit "VLAN 120"

        set vdom "root"

        set ip 10.11.20.222 255.255.255.0

        set alias "Users"

        set role lan

        set interface "lan"

        set vlanid 120

    next

    edit "VLAN 1"

        set vdom "root"

        set ip 10.11.1.222 255.255.255.0

        set alias "Management"

        set role lan

        set interface "lan"

        set vlanid 1

    next

    edit "VLAN 110"

        set vdom "root"

        set ip 10.11.10.222 255.255.255.0

        set alias "Servers"

        set role lan

        set interface "lan"

        set vlanid 110

    next

    edit "VLAN 510"

        set vdom "root"

        set ip 10.51.10.222 255.255.255.0

        set alias "Staging Servers"

        set role lan

        set interface "lan"

        set vlanid 510

    next

    edit "VLAN 520"

        set vdom "root"

        set ip 10.51.20.222 255.255.255.0

        set alias "Staging Users"

        set role lan

        set interface "lan"

        set vlanid 520

    next

Labels:
131
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-04-2025 01:04 PM

First, I heard 100F's X1/X2 ports are configured as a fortilink port by default. You likely need to remove the fortilink related config first before you can re-configure them as another LAG port.
In CLI, do "show | grep -f fortilink" to find out what parts of config are the dependencies before you can remove fortilink interface.

If Dell's default Port-channel config is active+LACP, you probably don't have to change on the Dell switch side. You don't need to configure L3 interface on the X1/X2 LAG interface if you don't plan to use untagged interface (Dell side's native VLAN on the Port-channel). VLANs on the LAG interface would work just like the VLANs on a single port.

However, "moving" VLANs from one port to another is technically not allowed since those are not SVIs but sub-interfaces of a parent interface on the FGT. You have to remove them first then re-configure it on the new interface. 

If that's too much distractions,  you could download the entire config from the 100F, then edit it to "move" VLANs from the current port to a new LAG port in the file. Then upload it to the FGT. It obviously involves a risk and a reboot after you upload it. You have to be really confident about the change you make.

Toshi

 

View solution in original post

116
0 Kudos
2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-04-2025 01:04 PM

First, I heard 100F's X1/X2 ports are configured as a fortilink port by default. You likely need to remove the fortilink related config first before you can re-configure them as another LAG port.
In CLI, do "show | grep -f fortilink" to find out what parts of config are the dependencies before you can remove fortilink interface.

If Dell's default Port-channel config is active+LACP, you probably don't have to change on the Dell switch side. You don't need to configure L3 interface on the X1/X2 LAG interface if you don't plan to use untagged interface (Dell side's native VLAN on the Port-channel). VLANs on the LAG interface would work just like the VLANs on a single port.

However, "moving" VLANs from one port to another is technically not allowed since those are not SVIs but sub-interfaces of a parent interface on the FGT. You have to remove them first then re-configure it on the new interface. 

If that's too much distractions,  you could download the entire config from the 100F, then edit it to "move" VLANs from the current port to a new LAG port in the file. Then upload it to the FGT. It obviously involves a risk and a reboot after you upload it. You have to be really confident about the change you make.

Toshi

 

117
0 Kudos
itka
New Contributor
In response to Toshi_Esumi

Created on ‎10-08-2025 02:16 AM

Thank you very much for your detailed explanation, everything is working perfectly now!

Ηere’s what I ended up doing:

  • Removed the default FortiLink configuration on X1/X2.

  • Created a new aggregate interface (LACP) combining X1 + X2 (agg-core) — no IP address on the aggregate itself.

  • Added VLAN sub-interfaces under the aggregate (edit the config file):

    • agg.116 → 172.16.16.222/22 (backbone toward Dell core switches)

    • agg.510 → 10.51.10.222/24 (Staging Servers)

    • agg.520 → 10.51.20.222/24 (Staging Users)


On the Dell S4112F (n160 / n161):

  • Configured both Ethernet1/1/12 as LACP members of Port-Channel 12 with
    channel-group 12 mode active 
  • Shut down the SVIs for VLAN 510 and 520, and added static routes to the FortiGate
    ip route 10.51.10.0/24 172.16.16.222
    ip route 10.51.20.0/24 172.16.16.222

Now VLANs 510 and 520 are routed through the FortiGate for Internet access, while all other VLANs continue to use the existing Vigor 3220 router. After completing all the tests successfully, I applied the same configuration changes to all other VLANs.


Dell S4112F Config
!
interface ethernet1/1/12
description ***_Fortigate_X1_***
no shutdown
channel-group 12 mode active
no switchport
flowcontrol receive on
!

!
interface port-channel12
description ***_Fortigate_X1_Port12***
no shutdown
switchport mode trunk
switchport access vlan 1
switchport trunk allowed vlan 110,116,120,140,150,180,510,520
vlt-port-channel 12
!

!
interface vlan510
vlan-name Staging_Servers_Vlan
description ***_Staging_Server_***
shutdown
ip address 10.51.10.2/24
no ip dhcp snooping
ip helper-address 10.51.10.11
!
vrrp-group 7
priority 150
virtual-address 10.51.10.1
!
interface vlan520
vlan-name Staging_Users_Vlan
description ***_Staging_Server_***
shutdown
ip address 10.51.20.2/24
no ip dhcp snooping
ip helper-address 10.51.20.11
!
vrrp-group 8
priority 150
virtual-address 10.51.20.1
!

 

Thanks again for your help and clear guidance!

 

44
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.