Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
piaakit1210
New Contributor III

vlan creation question in Fortigate

Dear All,

 

      I would like to know the different between these 3 vlan settings, which one is correct ? these vlan interfaces will be connecting to meraki switches with AP to use as 2 ssid with different vlans ip segment, in the other hand, do i need another dedicated physical interface to connect to meraki switch for the switch IP use ? any help would be appreciated 

 

 

1. each physical interface has dedicated vlan 

 

vlan case 1.jpg

 

 

2. a software switch with 2 physical interfaces with 2 vlans 

 

vlan case 2.jpg

 

 

3. a single physical interface with 2 vlans, will these call as sub-interfaces ? 

 

vlan case 3.jpg

 

 

keith

5 REPLIES 5
AEK
SuperUser
SuperUser

Hello

If you have enough free ports you can use one port for each VLAN without need to create vlan interface on FGT, and on switch side leave the two ports as access ports.

This is better for throughput.

In case you have few free ports, use one physical link with multiple VLANs like your 3rd example.

AEK
AEK
piaakit1210
New Contributor III

Hi AEK,

 

      So for case 2 which is incorrect setting ? and in order to assign ip address for the meraki switch, I need another physical interface connect between FGT and meraki, and the other 2 cables are for the 2 vlan for ssid use, am I correct ? Thanks 

keith 

sw2090
SuperUser
SuperUser

all three settings will basically work :)

it depends onb what you need. If you need the same vlans but more then one physical port to connect switches then user option 2. If one port is enough use option 3.

Vlans in FortiOS are always threated as interfaces so you can simply use them as source or destination interface for policies or routes.

Vlan interfaces in FortiOS are always "tagged". This means traffic hitting the physical interface they are tied to that has a matching vlan tag will hit the corresponding vlan interface and all other traffic will hit the physical interface. Just like a vlan trunk on a switch would work.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
AEK
SuperUser
SuperUser

For case 2 take precaution to avoid a loop, since the FGT will show the same MAC addresses from both ports. LACP can also be good solution.

 

Regarding the interface for switch IP use, if you mean for switch management I'd not waste a FGT port just to manage a single switch. Usually in corporate networks with good design there is a segment dedicated for management purpose, FGT can be connected to that network via a dedicated port to filter access to managed devices. But the solution for you depends on your existing environment and on what you need. My advice is not just to make it work, but to make the good design for both network and security.

AEK
AEK
hbac
Staff
Staff

Hi @piaakit1210,

 

Can you provide a network topology? I believe you are connecting internal4 and internal5 to 2 different switches? 

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors