Dear All,
I would like to know the different between these 3 vlan settings, which one is correct ? these vlan interfaces will be connecting to meraki switches with AP to use as 2 ssid with different vlans ip segment, in the other hand, do i need another dedicated physical interface to connect to meraki switch for the switch IP use ? any help would be appreciated
1. each physical interface has dedicated vlan
2. a software switch with 2 physical interfaces with 2 vlans
3. a single physical interface with 2 vlans, will these call as sub-interfaces ?
keith
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
If you have enough free ports you can use one port for each VLAN without need to create vlan interface on FGT, and on switch side leave the two ports as access ports.
This is better for throughput.
In case you have few free ports, use one physical link with multiple VLANs like your 3rd example.
Hi AEK,
So for case 2 which is incorrect setting ? and in order to assign ip address for the meraki switch, I need another physical interface connect between FGT and meraki, and the other 2 cables are for the 2 vlan for ssid use, am I correct ? Thanks
keith
all three settings will basically work :)
it depends onb what you need. If you need the same vlans but more then one physical port to connect switches then user option 2. If one port is enough use option 3.
Vlans in FortiOS are always threated as interfaces so you can simply use them as source or destination interface for policies or routes.
Vlan interfaces in FortiOS are always "tagged". This means traffic hitting the physical interface they are tied to that has a matching vlan tag will hit the corresponding vlan interface and all other traffic will hit the physical interface. Just like a vlan trunk on a switch would work.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
For case 2 take precaution to avoid a loop, since the FGT will show the same MAC addresses from both ports. LACP can also be good solution.
Regarding the interface for switch IP use, if you mean for switch management I'd not waste a FGT port just to manage a single switch. Usually in corporate networks with good design there is a segment dedicated for management purpose, FGT can be connected to that network via a dedicated port to filter access to managed devices. But the solution for you depends on your existing environment and on what you need. My advice is not just to make it work, but to make the good design for both network and security.
Hi @piaakit1210,
Can you provide a network topology? I believe you are connecting internal4 and internal5 to 2 different switches?
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.