Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JawadEA
New Contributor

Inter Vlan Routing on a Fortigate

Hi,

 

i am currently looking into changing my Layer 3 Core switch and implement Layer 3 routing between vlans on the fortigate.

 

The question is , can the fortigate support and handle the inter vlan routing in addition to internet traffic?

we are trying to do accomplish network segmentation to provide extra security measures in our environment . It is much easier to implement policies on the Fortigate rather than ACLs on a layer 3 core switch

 

Can the fortigate handle this ? 

 

Thanks

1 Solution
eti_andrei
New Contributor III

Hello,

 

Yes, the FortiGate can handle this. Of course, it all depends on what kind of traffic load your core is already handling and making sure it's matched to an appropriate FortiGate.

 

In fact, this is the typical scenario for many of our clients and has worked out well for them.

 

For example, in tightly-integrated environments, we can have a client access resources on another VLAN seamlessly through their SSO login. Not to mention the greater visibility into inter-vlan traffic, plus the ability to potentially stop - and otherwise quarantine - internal malicious actors, all from a single interface.

 

The higher end FG's - not the ones with SOCs, but rather the ones with discrete NP and CP ASICs - will theoretically get the best, lowest-latency performance.

 

Please read the Hardware Acceleration guide in regards to models you expect to use:

https://docs.fortinet.com/document/fortigate/7.2.0/hardware-acceleration/448300/hardware-acceleratio...
(an example, as a newer or more appropriate guide for your FortiOS version might exist)

 

Consider that models like the 2000E will have a unique "NP-Direct" architecture which removes the internal switching fabric, yielding even lower latency. However, you must follow the guide since port banks corresponding to their respective NP units cannot talk to each other.

 

Also consider reliability factors as well: if your core is designed with HA in mind - and if this is a requirement of your organization - then you should consider an HA FortiGate setup (also consider models with removable PSUs and other redundancy features that match your current core's configuration, again, if it's a requirement of your organization).

 

From a personal anecdote:
A new client of ours from a few years ago wanted to achieve better control over their inter-VLAN routing and were very proud of their Nexus 9000 series chassis. Like you, they felt managing ACLs was tedious and lomited compared to policies on a firewall. During the discovery process, they kept stressing how high performance their core was and experessing skepticism that "a firewall" could keep up with this level of performance. While their core was certainly capable of hundreds of gigabits of routing, we spent a good deal of time analyzing traffic and noticed that most of their inter-VLAN traffic came nowhere near these levels. In fact, most of their routed traffic was straight up internet traffic, limited by their 10 gigabit primary connection (and gigabit backup). They had been oversized, and I'm sure somebody collected a sizable commission for selling such an overspecced core.

 

They wound up with a 2000E which was more than capable of handling all their needs and ultimately "proved" to management that their core was being largely underutilized considering the kind of theoretical performance it could deliver. Their IT management team enjoyed the ease of management and visibility, while they never noticed a single difference in performance.

 

Consider that in the old days, when most firewalls were just using commodity PC hardware, using such a device to do all your internal routing would definitely fall short of a dedicated router with its custom ASICs. The FortiGate platform really blurs this line.

 

Best of luck!

View solution in original post

6 REPLIES 6
vdralio
Staff
Staff

Dear @JawadEA ,

 

Please find below the article that answers your question:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/784981/vlan-switching-and-routing

 

Best Regards,

Vasil Dralio

JawadEA

Thanks for the reply.

 

the article does not illustrate if the fortigate can handle that load without affecting the performance . Having the firewall do Layer 3 segmentations too might impact the performance like overloading the CPU or memory , causing latency . not sure which fortigate model can do this seamlessly without any issues. 

 

Thanks 

gfleming
Staff
Staff

It depends on the FortiGate model and what other features and functionality you are using.

Let's take a look at the FortiGate 100F as an example.

The Data Sheet for all FortiGates give us the performance numbers you want to look for. For the 100F it does 20Gbps of Firewall throughput. This is your inter-VLAN routing performance.

If that's all the FortiGate was doing, that's what you could expect to get out of it.

 

Now, if you're also running a 1gbps WAN link and doing web filtering, IPS and other security measures, well you'll see those threat protection numbers give you only 1gbps. So I wouldn't want to push both a 1gbps WAN link with threat protection turned on as well as inter-vlan routing.

 

Give us more details and we can try and help. Such as, what is your WAN link speed, what security features do you have enabled, what is the expected combined throughput of inter-VLAN routing?

 

A lot of Fortinet customer also deploy a dedicated internal segmentation firewall (ISFW). This way you can look at just the Firewall throughput number in most cases.

Cheers,
Graham
eti_andrei
New Contributor III

Hello,

 

Yes, the FortiGate can handle this. Of course, it all depends on what kind of traffic load your core is already handling and making sure it's matched to an appropriate FortiGate.

 

In fact, this is the typical scenario for many of our clients and has worked out well for them.

 

For example, in tightly-integrated environments, we can have a client access resources on another VLAN seamlessly through their SSO login. Not to mention the greater visibility into inter-vlan traffic, plus the ability to potentially stop - and otherwise quarantine - internal malicious actors, all from a single interface.

 

The higher end FG's - not the ones with SOCs, but rather the ones with discrete NP and CP ASICs - will theoretically get the best, lowest-latency performance.

 

Please read the Hardware Acceleration guide in regards to models you expect to use:

https://docs.fortinet.com/document/fortigate/7.2.0/hardware-acceleration/448300/hardware-acceleratio...
(an example, as a newer or more appropriate guide for your FortiOS version might exist)

 

Consider that models like the 2000E will have a unique "NP-Direct" architecture which removes the internal switching fabric, yielding even lower latency. However, you must follow the guide since port banks corresponding to their respective NP units cannot talk to each other.

 

Also consider reliability factors as well: if your core is designed with HA in mind - and if this is a requirement of your organization - then you should consider an HA FortiGate setup (also consider models with removable PSUs and other redundancy features that match your current core's configuration, again, if it's a requirement of your organization).

 

From a personal anecdote:
A new client of ours from a few years ago wanted to achieve better control over their inter-VLAN routing and were very proud of their Nexus 9000 series chassis. Like you, they felt managing ACLs was tedious and lomited compared to policies on a firewall. During the discovery process, they kept stressing how high performance their core was and experessing skepticism that "a firewall" could keep up with this level of performance. While their core was certainly capable of hundreds of gigabits of routing, we spent a good deal of time analyzing traffic and noticed that most of their inter-VLAN traffic came nowhere near these levels. In fact, most of their routed traffic was straight up internet traffic, limited by their 10 gigabit primary connection (and gigabit backup). They had been oversized, and I'm sure somebody collected a sizable commission for selling such an overspecced core.

 

They wound up with a 2000E which was more than capable of handling all their needs and ultimately "proved" to management that their core was being largely underutilized considering the kind of theoretical performance it could deliver. Their IT management team enjoyed the ease of management and visibility, while they never noticed a single difference in performance.

 

Consider that in the old days, when most firewalls were just using commodity PC hardware, using such a device to do all your internal routing would definitely fall short of a dedicated router with its custom ASICs. The FortiGate platform really blurs this line.

 

Best of luck!

sw2090
Honored Contributor

hm we handle up to over 10vlans  and IPSec VPNs per Site with a 100E oder 100F (or 300E at HQ). Behind the FGT are only layer 2 switches. Never had any problems with Memory or CPU load up to now.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
JawadEA
New Contributor

Thanks for the information. iam doing some research and i found that on the firewall datasheet there are some options if someone can explain what each one is mapped too would be appreciated 

JawadEA_0-1663255471326.png

This is Fortigate 60E . it is the oldest in our environment for example. 

i am a little bit confused with throughput classifications. 

 

Thanks

Labels
Top Kudoed Authors