Hello everyone
I am all new to Fortinet and FortiGate, though i am a quite old Networks "user"
Right now i am in the process of swapping a Juniper SRX100 with a Fortigate 92D and a Juniper SRX240 with a Fortigate 140D-POE (+FAP321C)
In general i find all the configuration points i wish (and can dream of) and always amazed how easy and efficient everything is (especially coming from Cisco, Juniper and other Checkpoint products)
The only thing i am struggling with right now is the setup of the LANs and VLANs (i didn't think that going full VDOM was necessary)
I attached a quickly drawn high level concept of the network to give an idea of what i am trying to achieve
I am working with 3 VLANs
Green - 192.168.1.0/24 - DHCP server active
Amber - 192.168.10.0/24 - DHCP server active
Red - 192.168.100.0/24 - DHCP server active
Green is reserved for trusted devices (PCs, Macs, iDevices, ...)
Amber is reserved for internet facing servers and other devices reachable from Internet
Red is reserved for guest devices (PCs, Macs, iDevices, ...)
The devices in Green are all with single link
The servers in Amber have all dual link in 802.3ad aggregation (other devices have a single link)
The devices in Red are all with single link
What i have been trying to achieve at first was to create the 3 VLANs and assign then to various ports but it seems i can assign only to 1 interface (may it be a port or Virtual Switch or VLAN Switch) Also i noticed that the 802.3ad ports are to be set as an Aggregate Interface
So i seem to be turning round and round on how to set a number of ports to the Green VLAN, another set of Ports to the Amber VLAN (along with a couple aggregated interfaces), a 3rd set of ports to the Red VLAN and the WiFi port to all 3 VLANs
I am quite sure i am just missing a detail but i cannot seem to make it all work together
I was hoping that some of you with way more experience than me on FortiGate could help me find the solution
Thank you in advance!
Andy
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Changing the port members on the default 'internal' switch depends on hardware model and firmware version. If the FGT has an 'internal' switch you can always split it up into individual ports (except for the smallest FGTs...). In the GUI, try to create a new interface (System > Network > Interfaces) - which types do you have: VLAN always, aggregate as well, switch?
Recently on a 240D running v5.2.3, when I entered the Interface setup, I could tick off single member ports as needed from the 'internal' interface.
Now for the SSIDs...so you get each SSID on it's own VLAN. On the phys. port connected to the AP, create these VLANs and point the default route of each VLAN to the VLAN's interface IP (usually x.y.z.1). Now you can create policies to allow traffic from / to each SSID. Routing is done automatically for all directly connected networks (look at the Routing Monitor to see these).
As for the LACP trunks, just create them from otherwise unused phys. ports and then configure the virtual trunk port as you like (address, VLAN ID if you need, whatever). Per default, LACP will use 'slow' mode, i.e. sending BUPs every 30 seconds. I always switch that into 'fast' mode using the CLI ('conf sys int, edit myTrunk, set lacp-mode fast'). And yes, you should make sure that you're configuring LACP ('active', not 'passive' or 'static') trunks.
You'll definitively need the CLI Reference Guide along with the Handbook for the details :)
Sorry for off topic from Pandalist's original question. But I want to ask ede_pfau or others if FortiSwitch can do like this that FortiGate can't do.
Nowadays major routers like Cisco, Juniper, etc. supports L2 switching separated from L3 routing, just like Pandalist drew in the diagram. I've kept asking the same/similar function on Fortigate to Fortinet SE/Sales but so far it's not happening.
Fortigates don't have clear separation between Layer3 interface and Layer2(or below) vlans. The vlan is a "subinterface" that can belong to one interface only. You can bind multiple physical interfaces into one hardswitch (virtual-switch) interface or one softswitch interface (switch-interface) via CLI (I'm not sure about GUI. And CLI might be slightly different between 92D and 140D, which I don't have either). Then you need to create a vlan subinterface on top of it. Although you can attach multiple vlans on one interface, it's the same through all physical interfaces inside the hard/softswitch interfaces.
In other words, you can't have one physical interface with only vlan-A and another with vlan-A and vlan-B as in your diagram. An option I could think of without having a Layer2 switch next to it is to separate WiFi SSID subnets from those three wired vlan subnets then set policies or zones to connect them together.
Thank you very much for your answer Toshi Esumi
I guess then that i will have to double the number of subnets for LAN and WiFi
From what you wrote i have then to assume that it is the same for the Aggregate Interface... It has to use its own subnet (which then makes sense to have as a /30 to just have an IP on the FortiGate Interface and an IP on the server aggregated interface)
Thanks again for your insight :) Best
Andy
hi,
Fortigates are not SWITCHES - they are routers. As such, no 2 ports can be in the same subnet, be it physical or virtual.
If you need to connect VLANs, then make the FGT the VLAN gateway, set policies and you're done.
VLANs as subinterfaces of physical ports offer you a nearly unlimited number of ports and networks that a FGT can connect - 4094 plus the number of phys. interfaces. The drawback is that all VLANs and the phys. LAN share the bandwidth of one (Gb) port. So better don't overdo it...
IF you find that you don't have enough phys. ports then you should reduce the number of ports in the (default) 'internal' switch interface. Easily done in the GUI. Don't mess with 'soft-switches' for performance reasons, and on your FGTs no need to do so.
As for the WLAN...why would you need the Wifi be part of all 3 VLANs? Again: routing, not switching.
Hi ede_pfau
in regards of the WLAN i have 3 subnets to route through a single port therefore i supposed the VLAN approach was the easiest I am not sure how to route 3 segregated subnets to the WLAN with 3 different SSIDs otherwise
I don't have the Fortigate in front of me right now but i believe i have only Soft-Switch or VLAN-Switch on the FG140D (and only soft-switch on the 92D) I dont remember being able to reduce the number of ports on the default Internal Interface. I pretty much had to break it to individual ports before being able to cluster them again in groups for different subnets. But i will look at it again
From your feedback i will try to group 3 sets of ports for 3 different subnets without using the soft-switch interface
And will try to sort out how to route 3 subnets through a single port with 3 SSIDs (though i really dont see how i can do it)
And then i will dedicate a few couples of ports for aggregate links to the servers with /30 subnets
Thanks for your feedback :) Best
Andy
Changing the port members on the default 'internal' switch depends on hardware model and firmware version. If the FGT has an 'internal' switch you can always split it up into individual ports (except for the smallest FGTs...). In the GUI, try to create a new interface (System > Network > Interfaces) - which types do you have: VLAN always, aggregate as well, switch?
Recently on a 240D running v5.2.3, when I entered the Interface setup, I could tick off single member ports as needed from the 'internal' interface.
Now for the SSIDs...so you get each SSID on it's own VLAN. On the phys. port connected to the AP, create these VLANs and point the default route of each VLAN to the VLAN's interface IP (usually x.y.z.1). Now you can create policies to allow traffic from / to each SSID. Routing is done automatically for all directly connected networks (look at the Routing Monitor to see these).
As for the LACP trunks, just create them from otherwise unused phys. ports and then configure the virtual trunk port as you like (address, VLAN ID if you need, whatever). Per default, LACP will use 'slow' mode, i.e. sending BUPs every 30 seconds. I always switch that into 'fast' mode using the CLI ('conf sys int, edit myTrunk, set lacp-mode fast'). And yes, you should make sure that you're configuring LACP ('active', not 'passive' or 'static') trunks.
You'll definitively need the CLI Reference Guide along with the Handbook for the details :)
Hello,
We have done it in remote sites with our 60D and 90D.
The general idea is to create as software switch to each vlan, let’s call it switch_vlan3, then you create a vlan 3 with the DHCP and ip and add it to the switch, and then you add the physical ports and any ssid you have.
If you have Trunks ( or ip phone + pc’s with different vlans) you have to create a sub interface for each vlan linked to the physical port and add it to the vlan switch.
It’s not nice but works very well.
Sorry for off topic from Pandalist's original question. But I want to ask ede_pfau or others if FortiSwitch can do like this that FortiGate can't do.
Nowadays major routers like Cisco, Juniper, etc. supports L2 switching separated from L3 routing, just like Pandalist drew in the diagram. I've kept asking the same/similar function on Fortigate to Fortinet SE/Sales but so far it's not happening.
I second Toshi :) It's exactly because i come from Juniper and Cisco HW that i was expecting a similar behavior in regards of L2 handling It's nothing that cannot be worked around but i believe that having a proper L2 handling could greatly simplify some configs
So i still hope it will come in the future :)
Thanks everyone for your help and insight
I just got email from an SE saying he could set a VLAN to one port while the other port had multiple VLANs configured including the one with v5.4 on FG140D. I don't have FG100/200 series and haven't tried 5.4 yet. You might want to try it. I at least don't see anything like that in "What's New" document of 5.4 though. I have to try 5.4 with my FG60D.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.