Friends, what is the difference between a FORTINAC device in layer 2 and layer 3? and which one is the most recommended
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello, you can view the below link for deployment modes:
Hi,
L3 network: Eth1 is connected to a single VLAN on an untagged port. Network traffic is routed to
the clients for each isolation network.
The following components are configured:
* FortiNAC Service Interface(s): The interface(s) which FortiNAC uses to
communicate with endpoints in the “isolation” networks.
* DHCP scope(s): Used by FortiNAC to deliver IP addressing to isolated
endpoints. In some cases, FortiNAC also delivers IP addressing for
known/trusted hosts.
L2 Network:
Traffic in the “isolation” VLANs are switched to the FortiNAC eth1 interface. 802.1Q
tags are configured for the corresponding “isolation” VLANs, and eth1 IP addresses
are within those networks.
The following components are configured:
* FortiNAC Service Interface(s): The interface(s) which FortiNAC uses to
communicate with endpoints in the “isolation” networks.
* DHCP scope(s): Used by FortiNAC to deliver IP addressing to isolated
endpoints. In some cases, FortiNAC also delivers IP addressing for
known/trusted hosts.
Guide:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/4459f8be-65c4-11ed-96f0-fa163e...
The most used and recommended is L3
BR
It is about isolation.
Typically you use L2 deployment when you have single site, and L3 deployment when you have multiple sites interconnected with routers.
There is no recommendation, it depends on your case, single site or multiple sites.
However if you have single site it is certainly more simple to go with L2 deployment.
To add to this response, the L2 deployment can be useful when physical FNAC appliance is used in a local site and is part of the access perimeter security. In case of having FNAC as VM, the network/security team most probably will not allow to span the isolation VLANs from the access layer to the DataCenter so a L2 deployment will not be possible. The L3 deployments may require more changes on the network devices when it's configured for the first time but it will scale well in the future.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.