Hi, I am a bit of a novice so please bare with me. I have a FG60F and added a second internet service on Wan2. I want to be able to add a second Lan interface independent of the default Lan and use it for the office network, routing traffic from it out over Wan2. Policy routing can be used for this relatively easily I believe. The default Lan is configured on a vlan switch interface with a single vlan 20, and is connected to a Cisco switch via a trunk. The second Lan to be configured on a software switch interface using port 2 with vlan 30, and I would like to connect it to the same Cisco switch. The idea is to use the second Lan for the office network, isolating it, and maintain the default Lan which has multiple VPN's used for remote site CCTV viewing. My question is, can both FG Lan ports be connected to the same Cisco switch? To summarise: single Cisco switch, FortiGate with Wan1 & Wan2, Lan1 on Vlan switch using port1, Lan2 on software switch using port 2, Lan1 connected to switch via a trunk. I Want to connect Lan2 to the same switch using vlan 30 if possible? I have been advised that connecting both Lan ports will cause issues with the native vlan on the Cisco switch because each Lan interface would have its own vlan. Is this possible, and/or is there a better solution using a single switch, maybe a second Vdom on the FG60F? Hope my description isn't too messy!!! Cheers, Garry.
Is it better to separate your internal networks using VLAN. You can create VLAN subinterfaces under software or VLAN switch and put both port1 and port2 under the same software or VLAN switch. Users from one VLAN can't access other VLANs without a firewall policy.
Thanks @hbac, the main reason is that there is a huge amount of in and outbound traffic on the Lan port with the VPN's as they are streaming CCTV video from several sites to three TV screens at the main office. This is a requirement of the organisations insurance policy, and the bandwidth use is crippling the office internet services on the same interface. I wanted to give them full bandwidth on the other Lan port, as much as isolate the office Lan from the VPN's.
We did consider moving everything to a LAG and have both Vlan's on that port, but I wanted to avoid redoing all of the VPN's and policy rules. However both you and Toshi make very reasonable points, so I think we will have to go with both your suggestions.
First question is why do you want to separate the 2nd LAN physically on the FGT side while the FGT treats all VLANs as separate interfaces? Are you concerning about 1Gig bandwidth between the switch and the FGT? If so, you can set up LAG/LACP (Cisco's Port-channel) between them.
It's much easier to stack up all VLANs between them on one physical interface. Then let the switch deliver those VLANs to proper ports.
I'm not saying you can't have two separate connections between them as long as the switch is handling spanning-tree and avoids loops especially non-tagged broadcast domain, you always need to be conscious about the possibility if you have multiple paths.
As I mentioned in my reply to hbac, there is a huge amount of in and outbound traffic on the Lan port with the VPN's as they are streaming CCTV video from several sites to three TV screens at the main office. You are correct that I want to provide the office network full 1GB bandwidth on the other Lan port, just as much as isolate the office Lan from the VPN's.
I did consider moving everything to a new LAG on port 2 & 3 and have both Vlan's on it, but want to avoid redoing all of the VPN's and policies. However I could just put port 2 in the software vlan interface as you mention and create a LAG. The one thing I am unsure about though is that port 1 is currently connected to port 24 on the switch which is set as a Trunk. Not sure if it's possible to configure a Lag as a trunk as I have not done that before, is it possible on a Cisco switch do you think?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.