Hi,
it is possible on Fortigate 100F to have one vlan configured on multiple ports?
Let's say I have vlan5 192.168.5.0, it is possible to attach it on port1 and port2 so then I will have on these ports the same shared vlan5 subnet ?
thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Wojtek,
you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'
See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014
Best regards, Benoit
No, a VLAN interface is a sub-interface on a FortiGate (a tagged VLAN on a trunk port in switching parlance).
You *could* set up a switch on the FortiGate so that more than one physical port shared the same "interface" but you wouldn't be able to tag VLANs on those ports. You'd have to connect it to a switch on an untagged VLAN to maybe kind of achieve what you're looking for, at which point why not just use a switch to begin with. Tag the VLAN going to the FortiGate and set untagged VLANs on the other ports you need instead of using the FortiGate for them.
So how can I create setup like this:
I have lan port1 and DMZ port, and one MGMT vlan subnet (tagged), how to have the same MGMT subnet vlan on lan and DMZ?
On other routers I can bridge MGMT vlan with DMZ port and this is working, how about Fortigate?
Hello Wojtek,
you can assign the same VLAN to multiple physical ports, and with different IPs on the same subnet. Do do that, you need to enable 'allow-subnet-overlap'
See https://kb.fortinet.com/kb/documentLink.do?externalID=FD30014
Best regards, Benoit
I wouldn't do that. MGMT port is to separate management access network from all other "user" networks on the LAG. It's better kept alone with the management subnet and connected directly to the switch (access port) then you can control L2 switching/L3 routing at the L3 switch.
Maybe I mixed up with another thread. But separation of MGMT port should still stand.
100% agree with Toshi. I refrained from saying anything but the design Wojtek described makes no sense to me. Management is its own thing and should be on its own interface. Can't imagine what the benefit would even be to having it on multiple interfaces.
allow-subnet-overlap is an evil option. The devil made it. Please do not use it ;)
As said a vlan on a FGT is a virtuel interface that is tied to a physical one. So the only option to share one vlan on more than one port would be either to put those ports into a switch - then they are threated as one interface and you can tie a vlan to it.
The only outher option might be Port Trunking - but then youo do no longer have sperate ports.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Yes it's great when you have on server multiple ethernet interfaces, but most of my servers have only two ethernet ports, one iRMC and one last is for data flow and MGMT vlan, I cannot do other way like only put MGMT on VLAN, and I would like to have one MGMT subnet spread on all my Fortigate Lan ports, so this is my problem.
I cannot put lat port with my DMZ port on switch they need to be separated (security reasons).
So if your servers are needing trunk ports (which is what I'm hearing) then you need to use a managed switch to connect between your servers and the FortiGate (maybe FortiSwitch would work; I have no personal experience). There would be no security risk as your DMZ would be on its own VLAN and could not communicate with anything else. This should be very easy to accomplish with any number of managed switch vendors.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.