- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VLAN Implementation
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN Implementation
Good day
I need to implement a VLAN network as my client will be looking to have his network made a little more redundant with a failover from HO to Branch with a Fibre Optic cable between. He wants this to be a failover for internet too so that if Head Office primary ISP goes down, then all traffic will use this connection.
The switch that he will use will also be used at a later stage for multiple other offices to connect to.
They are using a Fortigate 200D (HA) which will connect to a new Cisco 2960 -> Direct Connection from there to the Fortigate at the branch Office(Its across the road). Is it difficult to setup VLAN's on a Fortigate?
I have done VLAN's over 6 years ago on Cisco devices but never Fortigate.
Another point to mention is that there will a microwave link between the office that will be used as a 3rd failover. This will be connected to the switch.
Will I need to create two separate VLAN's (One for first failover, and then other for second)
Can a SD-WAN be used if you are using VLAN interfaces?
Should I create a site-to-site IPSec VPN (Using On Demand) for the third Microwave Link Failover.
I have drawn up a small diagram on this to try and get a better view on this.
Looking forward to some ideas and suggestions on this.
Regards,
Marty
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Marty, welcome to the forums.
I'll guess you're using FortiOS 5.6?
Vlans on FortiGates are created as sub-interfaces on a physical interface, aggregate, or FortiGate (hardware/software) switch interface. They're relatively simple. One important thing to note is that in most cases the FortiGate's vlan interfaces are tagged only, not untagged/native, so your connected switch or other device will need to support that.
I think you'll want to control your own failover more fully and so wouldn't want SD-WAN, but that depends on your needs. I describe failover cases below.
You'll need to create link-monitor objects to determine if a link is down and have available routes in your (static?) routes that provide the route out the backup links. See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Interfaces/Dual%20Internet... for an example.
I would recommend having your routes and backup routes with the same distance but different priorities, so that all those routes stay in the routing table and are available (until the link-monitor removes one that references an interface that is down). The route with the "highest" priority (lowest number) will be used.
See https://cookbook.fortinet.com/redundant-internet-basic-failover-56/ for an example with the same distance but different priorities.
Regarding an IPsec VPN over the microwave link, unless it's already encrypted/secured I assume you would need something like that to keep things secure. The admin guide and cookbook articles list out most of the VPN details you'll need, though you may need to dig through the forums for details on doing it with certificates.
Hope this helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another reason to have multiple routes with the same distance but different priorities is that you can then create policy routes that override the highest priority route to route more specific traffic over any of those routes (with same distance but different priorities) based on things like source, protocol, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this.
You have really given me a better idea on this.
Can I implement link monitoring for 3 interfaces? Can I have routing done on all 3 with different priorities so that if ever the first two fail then the microwave link will kick in as the new default route? If so, then this can be used instead of the IPSec VPN that I originally wanted to use.
They are wanted the most redundant network fail-over with hardly no need of an engineer needing to be onsite to change cables or routers etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't set up failover with three separate interfaces, link monitors, and routes, but I think it should work fine.
I would make sure you test it by initially having the IPs you ping be local servers you control so you can stop them responding to the ping and watch how the failover progresses, and how things get restored back onto the higher priority route when you allow those servers to respond to ping again. Note that existing sessions won't be automatically switched off the backup route to the restored route, just new sessions.
Related Posts
- Removing VLAN and VLAN switch 88 Views
- VLan fortigate 194 Views
- FortiNAC - Profiling Static IP Devices 143 Views
- Fortigate 40F - 2 identical ports... 166 Views
- BGP Peering - My Fortigate -... 204 Views
Labels
-
FortiGate
6,519 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.