Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jsr
New Contributor II

Port-Channel Sub-Interfaces on Fortigate Firewall.

Hello Friends, 

 

We have aggregated 02 Interfaces on fortinet firewall and created a Port-Channel (name Port-Channel1). Further we would like to create sub-interface on this port-channel For Eg : port-channel1.10 , port-channel1.20 , port-channel1.30 and so on as like in Cisco.  As we re planning to configure multiple zone (outside, inside, dmz , internet) on different sub-interfaces of port-channel which is created on 02 physical interfaces only. 

 

Is this possible or have to create VLAN subinterfaces only under port-channel1. Please guide.

 

regards

jsr

3 REPLIES 3
Alexis_G
Contributor II

you have to create multiple vlan under this Port-Channel-1.

Keep in mind that if you have multiple VDOMs it is good to assign Port-Channel-1 on root VDOM and VLAN on the VDOM you wish to utilize. This way in the future and if you need more VDOM you will be able to pass traffic fro different VLAN for different VDOMs.

 

Also have in mind that if you created aggregate Interface (meaning 2 interf 10G = 10+10G =20G) is different from redundant (meaning 2 interf 10G = 10 | 10G =10G)  

and has different configuration from switch side.

--------------------------------------------

If all else fails, use the force !

-------------------------------------------- If all else fails, use the force !
jsr
New Contributor II

Hi JK, 

 

OK, meaning ..There is no concept of creating port-channel interface like po1.10 , po1.20 etc and have to achieve this by VLAN only.

 

Something like below :

 

Aggregating Interface and Port-Channel Creation :

 

config system interface

edit Port-Channel1

set member port1 port2

set vdom root

set allowaccess ssh https

 

Allowing multiple VLANs under port-channel1 :

 

config system interface

edit VLAN_100

set vdom root

set interface portchannel1

set type vlan

set vlanid 100

set mode static

set ip 10.10.10.1/24

set allowaccess ssh https

 

next 

 

edit VLAN_200

set vdom root

set interface portchannel1

set type vlan

set vlanid 200

set mode static

set ip 10.10.20.1/24

set allowaccess ssh https

 

Is this the right way or do you feel some changes in above configurations.

 

Rgds

JSR

 

emnoc
Esteemed Contributor III

Yes that is how it's done. 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors