Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ykabbara
New Contributor

Same VLAN under two physical interface communication

Hi,

 

I have a Fortigate firewall V.5.6 I need to have one of the VLANs to be working on two different physical interfaces as two different Backbones exist.

 

So does a config like the below config works? how can I make both sub-interfaces communicate?

 

config system interface     edit "VLAN.50.port.1"         set vdom "root"         set ip 172.20.2.1 255.255.255.0 ---> for example         set allowaccess ping         set interface "port1"         set vlanid 50     next     edit "VLAN.50.port.2"         set vdom "root"         set ip ????????????? ---> what IP should be used here.         set allowaccess ping         set interface "port2"         set vlanid 50     next

 

Thanks

Ysuf

8 REPLIES 8
Alexis_G
Contributor II

no ,, it doesnt

 

--------------------------------------------

If all else fails, use the force !

-------------------------------------------- If all else fails, use the force !
rwpatterson
Valued Contributor III

The only way to do anything similar would be to trunk and aggregate ports. If your model is above a 100D-E, then you can do that, otherwise you cannot.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
sw2090
Honored Contributor

with aggregating or trunking you would loose the individual interfaces so you could not have different Subnets anymore but the same vid.

 

If you just want to be able to communicate to/from vlan 50 you only need some policy to allow this.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
rwpatterson
Valued Contributor III

I was referring to the capacity gain. Yes you would 'lose' an interface, but you could still hang the VLANs off of that fatter pipe.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
sw2090
Honored Contributor

yep. I meant that just to be an addition to what you wrote. If it came up different I apologize for that :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Toshi_Esumi
Esteemed Contributor III

By knowing the limitation of L2 interfaces, your only option is to aggregate two physical interfaces into one hard/soft-switch interface, create a vlan sub-interface on it if it needs to be tagged, then add a secondary IP/subnet to have two subnets on the same vlan interface. Then both sides should be routed each others.

eastcoastmatt

Just to follow up on this..if I have two access layer switches each with two vlans (A and B) on them, can I connect them to different physical interfaces of the Fortigate and use the same vlan on both physical interfaces? Or do I need to aggregate those to a distribution switch and then connect distribution switch to Fortigate (via trunk and likely aggregate port for density)?

So my setup would be something like: Switch1: VlanA and VlanB -> Fortigate port 1

Switch2: VlanA and VlanB -> Fortigate port 2

It don't see how this would work without a distribution switch, but wanted to confirm. Thanks

 

Toshi_Esumi
Esteemed Contributor III

As I wrote, and others wrote too, before, the soft/hard-switch on the FGT acts as a distribution switch.

port1 --+

            +--> AggInt1(soft or hard switch)

port2 --+

Then the same set of VLANs are shared between two physical port. And that's all any FGT can do for L2 switching.

Top Kudoed Authors