Hi there,
we have a new customer with a FG61 HA Cluster and we need to configure different VLANs. Normally we just used Vlans for Wifi Networks and combined them with different LAN ports but for this configuration we need to configure 6 different VLANs.
We have the 5 LAN ports but we use PORT5 for the heartbeat monitor for HA. Also this FG model comes with a Fortilink A and B port which I found out can be used also as LAN ports.
Any idea for best way to configure this scenario?
Thanks a lot!!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The beautiful property of VLANs is that their number does not depend on the number of available physical ports. You can segment your LAN in as many ways as you wish.
The actual setup depends on what you expect how high the combined throughput will be.
Usually, I base all internal VLANs off the LAN port, or, the LAN aggregate port (LACP across several physical ports). You could do this IF...if the 61F already supports LACP. It should have been introduced in FortiOS v6.2.x (as rumours have it) so it depends on the firmware you run.
OTOH, you might as well get away with a shared 1 Gbps port for LAN and all VLANs as they wouldn't peak all at the same time (exception: backup time).
Hi Ede,
thanks for your reply. Unfortunately I dont have the information about the throughput but considering that they have actual an old panda gatedefender firewall, I thought that with the FG61F model we will be 100% on the safe side. I do know that their internet access is 600/600mb.
Since all Switches (I think HP models) have the configuration of all VLans, we decided not to change the configuration and use the DMZ port, etc. Though having DMZ and Fortilink ports A and B I was wondering which would be the best option.
So you say that I configure all 6 VLans on the LAN Interface (currently port 1-4) should be OK. The switches behind know the VLAN ID and the rest should be easy.
Am I right or do you have another suggestion?
Thanks in advance!
Roland,
You can break apart the internal switch and use a single interface (say internal5) as the physical interface to add the VLANs to. Or as you suggested you can use the DMZ interface for that purpose.
I've done something similar in the past and am actually planning to redesign my branch campuses to do this very thing with 60F models. I have many VLANs and will do some on each of 3 or 4 ports.
- Daniel
@RoBau:
if you are confident with 1 Gbps, put all VLANs on the LAN port. This way, you run only one cable to the (next) switch which carries a VLAN trunk.
You may first check if LACP (Network > Interfaces > New > Aggregate) is available on your FGT. If so, put 2 of the LAN ports into a new aggregate interface (release them first like @lobstercreed stated). That would give you 2 Gbps peak performance, for internal backup jobs or the like.
If you can't create an aggregate, the model doesn't support it. Fine as well.
Using the (default) internal switch for LAN and the VLAN trunk does not have any advantages; you will lose precious ports.
Of course you can use any physical port for the VLAN trunk, like "dmz" or any other (apart from "mgmt").
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.