- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Is it possible to configure two different physical...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to configure two different physical interface on Forti 60F to handle traffics?
My concern is: we have one physical Forti 60F that currently run the following network: 192.168.20.0/24 on port 2 connected to Cisco Switch1 and We are looking to run 10.21.20.0/24 network on port 5 trunking with Cisco Switch2
Once I try to connect the Fortigate port 5, it seems like, we lose internet from other network. I'm wondorring if it's something that can be done from this way. Do I need to run on different VDOM? or it could work like I did. Any help will be greatly appreciated.
Labels:
- Labels:
-
FortiGate
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most likely there is an L2 loop through port2<->SW1<->SW2<->port5 for non-tagged interface or Vlan1 on Cisco SWes. You either need to get rid of connections between two switches (likely you can't), or remove either or both of port2(internal2) and port5(internal5) from the default VLAN switch interface.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for sharing you help, but I don't have connection between SW1 to SW2, here is my diagram
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are they "internal2" and "internal5" separated interfaces, not bound in "internal" VLAN switch interface? Or is 10.21.20.0/24 is on a VLAN interface? Please share the interface config for those hopefully in CLI.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal2 is configured as Access port from SW1==>FG port2, there is no vlan, no sub interface implemented; then we want now to implement sub interface with multiple VLAN by using Port5 ===> TRUNK SW2.
Sorry, I disconnect all connection on the port so I'm not able to get CLI right now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I mentioned before, by default all internal1 - internal5 are in "internal" vlan switch interface. Then when you create the VLAN interface on "internal" (you can't configure it only on "internal5") then the VLAN is shared with all 5 ports. That's why I'm asking the actual config under "config system interface" whenever you can.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds correct, thank you Toshi. here is the config
config system interface
edit "wan1"
set vdom "root"
set ip 24.52.52.17 255.255.255.252
set allowaccess ping https ssh http
set type physical
set alias "wan1"
set lldp-reception enable
set lldp-transmission enable
set monitor-bandwidth enable
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set type physical
set role wan
set snmp-index 2
next
edit "dmz"
set vdom "root"
set ip 192.168.3.1 255.255.255.0
set allowaccess ping https fgfm fabric
set type physical
set alias "dmz"
set role dmz
set snmp-index 3
next
edit "internal1"
set vdom "root"
set ip 192.168.50.1 255.255.255.0
set allowaccess ping https ssh http fgfm fabric
set type physical
set alias "lan1"
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set monitor-bandwidth enable
set role lan
set snmp-index 4
next
edit "internal2"
set vdom "root"
set ip 192.168.85.1 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "lan2"
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set monitor-bandwidth enable
set role lan
set snmp-index 5
next
edit "internal3"
set vdom "root"
set type physical
set snmp-index 6
next
edit "internal4"
set vdom "root"
set type physical
set snmp-index 7
next
edit "internal5"
set vdom "root"
set type physical
set snmp-index 8
next
edit "a"
set vdom "root"
set type physical
set snmp-index 9
next
edit "b"
set vdom "root"
set type physical
set snmp-index 10
next
edit "modem"
set vdom "root"
set mode pppoe
set status down
set type physical
set snmp-index 11
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 12
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 13
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 14
next
edit "internal"
set vdom "root"
set mode dhcp
set type hard-switch
set stp enable
set snmp-index 15
next
edit "vpn.wan1"
set vdom "root"
set ip 0.0.0.0 255.255.255.255
set type tunnel
set monitor-bandwidth enable
set snmp-index 16
set interface "wan1"
next
edit "vlan5"
set vdom "root"
set ip 10.27.27.1 255.255.255.0
set allowaccess ping https ssh http
set alias "gestion"
set device-identification enable
set role lan
set snmp-index 17
set interface "internal"
set vlanid 5
next
edit "vlan25"
set vdom "root"
set ip 10.26.26.1 255.255.255.0
set allowaccess ping
set alias "VoIP"
set device-identification enable
set role lan
set snmp-index 18
set interface "internal"
set vlanid 25
next
edit "vlan21"
set vdom "root"
set ip 10.25.25.1 255.255.255.0
set allowaccess ping
set alias "dataPC"
set device-identification enable
set role lan
set snmp-index 19
set interface "internal"
set vlanid 21
next
edit "vlan22"
set vdom "root"
set ip 10.22.22.1 255.255.255.0
set allowaccess ping
set alias "dataPrinters"
set device-identification enable
set role lan
set snmp-index 20
set interface "internal"
set vlanid 22
next
edit "vlan23"
set vdom "root"
set ip 10.23.23.1 255.255.255.0
set allowaccess ping
set alias "dataMills"
set device-identification enable
set role lan
set snmp-index 21
set interface "internal"
set vlanid 23
next
edit "vlan24"
set vdom "root"
set ip 10.20.20.1 255.255.255.0
set allowaccess ping
set alias "wifi"
set device-identification enable
set role lan
set snmp-index 22
set interface "internal"
set vlanid 24
next
edit "vlan40"
set vdom "root"
set ip 10.10.10.0 255.255.255.0
set allowaccess ping
set alias "wifiPub"
set device-identification enable
set role lan
set snmp-index 23
set interface "internal"
set vlanid 40
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My current main network is on P1 and looking to create P5 with sub interfaces
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The potential problem I see in your inteface config is "internal" vlan switch still exist and all VLANs are on "internal" interface.
Go to "config sys virtual-switch" then "show" to see the members of "internal" vlan switch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is
NAP-000270 (virtual-switch) # show
config system virtual-switch
edit "internal"
set physical-switch "sw0"
config port
edit "internal5"
next
end
next
end
Related Posts
- Way to see Destination IP behind... 98 Views
- FortiClient 7.2.4 installer with deployed EMS... 112 Views
- Import Firewall Policies from CLI or... 75 Views
- VXLAN, Virtual Switch and MTU 79 Views
- IPSec tunnel error : no SA... 149 Views
Labels
-
FortiGate
6,530 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.