- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Layer3 Fortiswitch
Hi all,
our current setup is FG 80f acting as a firewall and NAT device with Layer3 switch acting as a router for office network and intervlan routing.
We would like to replace current layer3 switch with 2 switches from Forti ecosystem that can act as redundant routers.
Requirements are as following:
L3 switch handles intervlan routing
L3 switch acts as a router for private networks
L3 switch/es supports HSRP or VRRP
FG80f handles NAT and traffic inspection
Switch and future Forti AP-s are managed via FG80f
So basically i want central management for Forti network devices and L3 traffic between private networks to be handled on switches which are redundant gateway for client network devices.
Is that feasible ?
Regards,
Drazen
Solved! Go to Solution.
- Labels:
-
FortiAP
-
FortiGate
-
fortilink
-
FortiSwitch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sego
Starting in FortOS 7.4.1 with FortiSwitchOS 7.4.1, managed FortiSwitch units can perform inter-VLAN routing.
https://docs.fortinet.com/document/fortigate/7.4.0/new-features/369021/support-inter-vlan-routing-by...
However I didn't test it and didn't read enough about it so I can't tell under which conditions it will work, i.e.: if it requires extra license or if it works for specific cases.
Also you may refer to FSW feature matrix to see which models support VRRP and inter-VLAN routing.
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Some FortiSwitch models support MCLAG, enabling switch-level failover. By creating all VLANs on the FortiSwitch and establishing a default route to the FortiGate-connected interface, you can efficiently redirect internet traffic.
please check the link below.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sego
Starting in FortOS 7.4.1 with FortiSwitchOS 7.4.1, managed FortiSwitch units can perform inter-VLAN routing.
https://docs.fortinet.com/document/fortigate/7.4.0/new-features/369021/support-inter-vlan-routing-by...
However I didn't test it and didn't read enough about it so I can't tell under which conditions it will work, i.e.: if it requires extra license or if it works for specific cases.
Also you may refer to FSW feature matrix to see which models support VRRP and inter-VLAN routing.
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Aek,
so....
Good thing is that interVLAN traffic no more needs to pass through FG, but bad news is that i must pay extra for that and also bad VRRP and rest of L3 goodies is available only in standalone mode.
So, my setup could/would like this:
1FG 80f in role of firewall, NAT, L3 router, VLAN termination with A and B ports connected to 2 Fortiswitches configured in MCLAG, interVLAN routing is supported ond FORTISWITCH 1024D and above with advanced feature licencom.
Opinions are welcomed please...
PS i forgot to mention that 10G from switch server load is highly welcome feature.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sego
Besides, here I notice that you are using entry level FG with big sized FortiSwitches (1024D is data center series). I'm not saying it is wrong but for me such combination is absolutely not common.
Except if it is for servers working together with very high load and connecting to internet with average bandwidth, then that would probably make sense.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi and sory for late answer, i was on free days....
Yes, im aware of that, but since these switches are first to have that feature there is no other option. I do believe that after some time replacing FG with stronger model is not going to be problematic one...
Regards,
Drazen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably you can't test&confirm it until you get FSWs if it can be done exactly what you want. But keep it in your mind at that time there is an option to make FSWs work in "standalone" mode so that you can keep the brain completely separated from your FG80F's for both L2 and L3 handling, just like you're doing with your current switches.
Toshi
![](/skins/images/EC9FF2F7BE06D4243426EA19DD2C8052/responsive_peak/images/icon_anonymous_message.png)