- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Network design query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Network design query
Hi All,
I am just working through a new network design for our business. We are just about to relocate our production data centre to a professional managed facility.
Our business is split over three sites. They are main business, DR site and Production site.
Our WAN will be a managed WAN (carrier will look after) with dual routers installed at each site (Cisco 3845) with a copper hand off from each. The routers will run HSRP with only one router being active at any one time. The access rate at each site will begin at 100M. We have around 120 users at the business premise.
I' m trying to address the design site by site and will begin with the business premise. The LAN is made up of Cisco 2960 (x4) that connect upstream to Cisco 3750 (2), which currently patch into a Fortigate 1000A appliance. The appliance is overkill for a site of our size but it is what it is.
In the new design we will have several VLANs that terminate on the 3750x. I plan to configure a VLAN on the 3750 with a /29 address and then connect this to the Fortigate. I am using a /29 in case there is a design change in the future.
I was then planning on attaching the WAN router to one of the Fortigate interfaces and routing the LAN to the WAN through these two ports.
I then plan to define policies for specific address ranges that can traverse the WAN by destination address, services, etc for the different networks that are configured on the Cisco 2960/3560, will ACLs applied on the VLANs for security between these VLANs.
Does this design sound reasonable? Would you suggest connecting this physically any other way? I am hoping to meet with our Fortinet account manager/pre-sales to discuss this further. Just after a bit of feedback from others.
Thanks as always,
Darren
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not pass all the VLANs to the Fortigate and have it do the policies? Piece of cake on the 1000A.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Bob,
Thanks for the response.
Can you elaborate a little more on the design/configuration to support this i.e would you create VLAN interfaces of a physical interface or would you look to use a port per VLAN?
Currently in the access layer (user workstations) I have several 2960' s with the 3750s acting as the L3 device. The 3750 also acts as the root bridge, etc for each of the VLANs.
Would you configure the Fortigate to be the default gateway for each of the VLANs?
I' m working with VLANs and using 10.1.x.x (business site), 10.2.x.x(prod data centre), 10.3.x.x (dr data centre)
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
50 50 either way you go at it. Placing the L3-SVIs on the Fortigate or on the 3750 and both will get the same thing done.
Now the question that rwpatterson might be eluding to, do you need internal-vlan security?
i.e does vlanX ned policies between vlanY
If you need intranet filtering and policies, than you might be better with the vlans span to the FGT1000A and all of the cisco as basic layer2. switch.
Suggestion, if the 3750 are stack, you can add some redundancey by bonding 2 ports on the 100A0A back to each of the 2x3750s. This will give you multipath connectivity from the fw-appliance to the core switch.
If you later add a 2nd firewall, do the same, 2 interfaces attached to 2 3750s in a LACP bundle.
But your plan and thought are solid and what I would do minus the above if you need policies defined between vlans.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks again guys for all of your valuable input.
Regarding the question ' do you need internal VLAN security' my answer would be not now, but this may change in the future.
With this in mind I will investigate this design in my test lab.
emnoc, apologies, I should of made it clearer. I Already have 2 x 1000A configured in a HA cluster. I have 2 x 60B in my test lab that I hope to test the conceptual design with.
I' m now about to investigate the LACP (etherchannel) on my lab. Do any of the Fortigate models I am using not support this. I will investigate, but if you know this off the top of your head that would save me some time.
Thanks again guys, much appreciated.
Darren
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scratch that regarding the 60B, I can see that isn' t supported from the first KB search.
Fortigate 1000A
v4.0,build194,100121 (MR1 Patch 4)
Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B
v4.0,build0130 (MR1 Patch 3)
Related Posts
- ADVPN IBGP Advertisement & Overlay Cross... 285 Views
- Using AD groups sent by SAML... 216 Views
- Fortinac Self Registered Guest Check Reguest 607 Views
- Test Demo Network 290 Views
- configure internal DNS server behind Fortigate 722 Views
Labels
-
FortiGate
6,571 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
568 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Email filter profile
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.